IAS RADIUS Server Configuration for 802.1x EAP-MS-CHAP v2

IAS RADIUS Server Configuration for 802.1x EAP-MS-CHAP v2

This article describes the steps required to setup a resiliant 802.11x Wifi RADIUS authentication infrastructure; a must for any SMB.

This article assumes you have configured your Wireless Access Point with the desired radius server IP addresses / FQDNs and a shared secret.

IAS/Certificate Services Installation/Configuration Primary RADIUS Server

To optimize IAS authentication and authorization response times and minimize network traffic, install IAS on a domain controller.

  1. First, install IIS on your Domain Controller.
  2. Next, install Enterprise Certificate Authority Root – Enterprise Root Server Mode> Give the CA the same name as the server’s name
  3. Next Create a new Global Group > ‘Wireless Users and Computers’ Add Computer AND User Objects into this group that you wish to grant IAS RADIUS Access.
  4. Ensure that Users Account are configured to grant Remote Access (Dial In) permissions.
  5. Next Install IAS (via Add/Remove Programs > Windows Components)

You will also need to request a NPS/IAS/RADIUS Server Authentication certificate for each IAS server you wish to configure.

Create IAS RADIUS Clients

Next load the IAS MMC Snap-In Select Clients

  1. Rt-Click Clients > New > Enter a Friendly Name
  2. Ensure that Protocol is ‘RADIUS’
  3. Enter Access Point IP Address
  4. Select RADIUS Standard as the client vendor.
  5. Tick the Client must always send the signature attribute in the request
  6. Enter the shared secret as configured on the AP
  7. Click Finish

           RADIUS2.png

Configure Remote Access Policies

  1. Select Remote Access Policies
  2. Rt-Click Remote Access Policies > New Remote Access Policy>
  3. Enter a friendly name
  4. Click Next
  5. On the conditions window, click Add
  6. Select Windows Groups and click Add
  7. Click Add and then set Domain as location and earch for the Global Group, then click OK, you will return to the conditions window
  8. Click Add, select NAS-Port-Type and then select Wireless – IEEE 802.11
  9. Click Add, select Wireless – Other and then Click Add, you will return to the conditions window.
  10. Click Next
  11. Select Grant Remote Access Permission
  12. Click Edit Profile then select the ‘Authentication’ tab
  13. Enable Extensible Authentication Protocol, select PEAP as the EAP type from the drop down box
  14. Disable all other authentication types
  15. Click Configure under the Extensible Authentication Protocol group
  16. Ensure that Secured Password (EAP-MSCHAP-V2) is listed
  17. Select the IAS/RADIUS Server Authentication certificate you wish use for authentication (note if the certificate is to be replaced in future change it here)

           RADIUS3.png

    18. Click OK

    19. Click OK until the Remote Access Policy Configuration Window disappears!

RADIUS1.png

Perform the steps as above on the Secondary RADIUS server.

Client Configuration

Once laptop has detected AP, configure advanced options:

                Network Authentication should be set as: WPA using TKIP Data encryption
                Under Authentication select Protected EAP
                                Select Properties
                                Ensure Validate Server Certificate is selected
                                Ensure that Connect to these servers contains the RADIUS servers FQDN’s
                                Scroll down and select both RADIUS server certificates under Trusted Root Cert. Authorities
It may be necessary to manually install one of the Certificates to your client.

Client configuration can be completed using Group Policy; Computer Configuration/Windows Settings/Wireless (802.11) Policies

Manual Certificate Installation

Navigate Internet Explorer to:

  • http://your-certificateserver1/certsrv
  • http://your-certifcateserver2/certsrv

From each server retrieve the CA certificate’; download the CA certificate in DER encoded format.

ON the client load MMC and add the Certificates snap-in, select Computer account > Local computer. Expand Trusted Root Certificate Authorities and Select Certificates  > Right-Click certificates > Import >  Select the first RADIUS server’s CA certificate