Thursday, October 1, 2015

Authenticate WiFi users with Active Directory

In this tutorial we are going to install a Network Policy Server which enables us to authenticate Wi-Fi users with Active Directory. We will configure a Wi-Fi AP to point to the NPS Server which allows users to log in to a wireless network with their AD credentials.

 This is an old tutorial of mine, so unfortunately I don't have screenshots. The server software to use is Windows Server 2008 R2. If you already have installed Active Directory Certificate Services on your domain, skip to Create certificate for NPS.

Install AD CA

Open Server Manager, expand Roles and click Add Roles. Choose Active Directory Certificate Services. Here is an example configuration, but you can modify it to fulfill your needs. The first-level bullets represent the configuration windows you're going to see:

  • Select Role Services:
    • Choose Certificate Authority and Certificate Authority Web Enrollment.
  • Specify Setup Type:
    • Certificate Authority is going to be installed on a domain controller, so choose Enterprise.
  • Specify CA Type:
    • Choose Root CA. The other option is for those who want the CA certificate to be obtained from a 3rd party CA.
  • Set Up Private Key:
    • Choose Create a new private key.
  • Configure Cryptography for CA:
    • Continue with default settings, which are
      • Cryptography service provider: RSA
      • Key character length: 2048
      • Hash algorithm: SHA1
    • Leave the Allow administrator interaction when the private key is accessed by the CA checkbox unticked.
  • Configure CA Name:
    • Continue with default settings.
  • Set Validity Period:
    • This is how long your CA certificate is going to be valid. I chose 5 years.
  • Configure Certificate Database:
    • Continue with defaults (C:\Windows\System32\CertLog)
Now make sure your public key policies in default domain policy are correct. Open Group Policy Management and edit Default Domain Policy. Expand Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies and set:
  • Certificate Services Client - Auto-Enrollment:
    • Enable policy
    • Tick Renew expired certificated, update pending certificates, and remove revoked certificates.
    • Tick Update certificates that use certificate templates.
  • Certificate Path Validation Settings > Stores tab:
    • Tick Define these policy settings.

Create certificate for NPS

Open Microsoft Management Console (open command prompt, type in mmc and hit enter). Add the following snap-ins (File > Add/Remove Snap-ins):
  1. Certificate Authority (Local)
  2. Certificate Templates
  3. Certificates (Computer account)
Expand Certificate Templates and right click RAS and IAS Server and click Duplicate Template. In Duplicate Template window, choose Windows Server 2008 Enterprise.

A Properties of New Template window will pop up. In General tab, type RAS and IAS Server Template for NPS in Template display name. Tick Publish certificate in Active Directory. In Security tab, select RAS and IAS Servers from the list and tick allow for Enroll and Autoenroll. Click OK.

Expand Certificate Authority (Local), right click Certificate Templates and click New > Certificate Template to Issue. Select RAS and IAS Server Template for NPS and click OK.

Expand Certificates (Local Computer) > Personal > Certificates and find the newly created certificate according to the Certificate Template column. Right click it and go to properties. Type NPS as a friendly name.

Install NPS Role

Open Server Manager, expand Roles and click Add Roles. Choose Network Policy and Access Services. In Select Role Services window, choose Network Policy Server.

Open Network Policy and Access Services Management and on the left pane choose NPS (Local). In Standard configuration choose RADIUS server for 802.1X Wireless or Wired Connections and click Configure 802.1X link.
  • Select 802.1X Connection Type:
    • Choose Secure Wireless Connections and give Secure Wireless Connections as the name.
  • Specify 802.1X Switches:
    • Here we will add your wireless access point by clicking on Add. Enter a friendly name (e.g. wlan-livingroom) and the IP Address of the AP (e.g. 192.168.0.50).
    • Tick Manual secret and create a unique secret. You will need to provide this secret to your access point.
  • Configure an Authentication Method:
    • Choose Microsoft: Protected EAP (PEAP). Click Configure and select the NPS certificate that we just created in Certificate issued. Make sure that the Friendly name reads NPS.
  • Specify User Groups:
    • Click Add and add the group of users and/or computers that are allowed to log in to Wi-Fi networks.

Configure access points

This is something you probably have to figure out by yourself. I have a couple of ZyXEL NWA1121-NI access points, where the right configuration is as follows:
  • Security mode: WPA2
  • Primary RADIUS server: enabled
    • Primary server IP address: IP of your NPS server
    • Primary server port: 1812
    • Primary share secret: this is the secret you created earlier
Now you should be able to log in to the Wi-Fi with your AD credentials. Note that many devices (including Windows and Apple) need to trust the root certificate in order to join the Wi-Fi. I use Cisco Meraki to deploy the CA certificate to Apple mobile devices. If your computer is not domain-joined, you need to manually import the CA certificate to Trusted Root Certification Authorities.
Posted by at No comments:
Labels: , , , ,
Subscribe to: Posts (Atom)