locked
802.1x setup for SBS2008 for Cisco 1200 series access points using MS-CHAPv2-PEAP RRS feed

  • Question

  • I have a wireless network setup using 3 Cisco 1200 series access points on a SBS2008 network. I am currently using WPA2 personal. I would really like to move to 802.1x for better security as this is setup in a doctors office. I don't want to use certificates but would rather use the AD credentials for each user as an authentication mechanism. I have tried doing this but can't seem to find a good guide inline anywhere. I have gone through the wizard in NAP and configured the AP's but I can't get any wireless clients to authenticate.

    If someone can give me some details on how to do this, I would greatly appreciate it. If you need anymore info about the configuration of the network, let me know.

    Thanks in advance.
    Thursday, December 24, 2009 5:50 PM

All replies

  • Hello,

     

    Thank you for your post here.

     

    From the description, you want to implement 802.1X wireless network with MS-CHAP v2 authentication.

     

    Task

    Reference

    Install and configure the following required fundamental network services: Active Directory Domain Services (AD DS), the Domain Name System (DNS) server role, the Dynamic Host Configuration Protocol (DHCP) server role. Install the Network Policy Server (NPS) component of the Network Policy and Access Services server role and authorize NPS in AD DS.

    Windows Server 2008 Foundation Network Guide, available for download in Word format at the Microsoft Download Center: http://go.microsoft.com/fwlink/?LinkId=105231, and in HTML format in the Windows Server 2008 Technical Library: http://go.microsoft.com/fwlink/?LinkId=106252

    Purchase, and then physically install wireless access points (APs) on your network.

    See your wireless AP hardware documentation

    Join wireless computers to the domain and create user accounts in AD DS for all your domain users.

    Windows Server 2008 Foundation Network Guide, available for download in Word format at the Microsoft Download Center: http://go.microsoft.com/fwlink/?LinkId=105231, and in HTML format in the Windows Server 2008 Technical Library: http://go.microsoft.com/fwlink/?LinkId=106252

    If you are using PEAP-MS-CHAP v2, and have not already done so, auto enroll a server certificate to NPS servers or purchase and install server certificates on your NPS servers.

    Foundation Network Companion Guide: Deploying Server Certificates and Obtaining and Installing a VeriSign WLAN Server Certificate for PEAP-MS-CHAP v2 Wireless Authentication (http://go.microsoft.com/fwlink/?LinkId=33675)

    Follow the steps in this guide to deploy 802.1X authenticated wireless access.

    Deploying 802.1X Authenticated Wireless Access

     

    You may refer to the following article to implement 802.1X wireless with MS-CHAP v2 authentication:

     

    802.1X Authenticated Wireless Access

    http://technet.microsoft.com/en-us/library/cc771455(WS.10).aspx

     

    If you have any questions or concerns, please do not hesitate to let me know.

     

     

     

     

    Monday, December 28, 2009 2:42 AM
  • Thank you for all the info. My question at this point would be is there a way to set this up using a self-issued certificate? I won't have that many wireless devices so the cost of a Verisign cert is a little beyond what I can do, for now at least. I will let you know if I have anymore questions once I begin the deployment of this.

    Thanks.
    Tuesday, December 29, 2009 9:07 PM
  • I found an article on technet describing how to use the RAS and IAS server certificate template to use when creating the rules for the NAP service. I followed through the steps of duplicating the template and then configuring it the way I need to. I then tried to create a new certificate template to issue command and the box that opens doesn't show the template that I created. Come to find out, 2008 Standard doesn't show v2 templates, what teh duplicated template is. How do I create a template or certificate to use for this purpose?

    Thanks.
    Wednesday, December 30, 2009 7:26 PM
  • I am still stuck with this so any new help would be appreciated.

    Thanks.
    Wednesday, January 6, 2010 7:09 PM
  • I can't tell from your comment -- did you set up a Certificate Authority to issue the certificates?
    Thursday, January 14, 2010 6:06 PM
  • The SBS server is a certificate authority. I have the default computer certificate that was created when setting up the system. Maybe I am doing something wrong... What steps should I take to make sure that I am in fact doing this properly?

    Thanks.
    Saturday, January 16, 2010 11:48 PM
  • Hi There dfd1125
    I'm not sure if you have found an answer to your problem, I have in the past been faced with the same issues on SBS 2003 i also used Cisco APs i will try and attach a document that i used and found very helpful. I'm not sure if it will work the same as SBS 2008 maybe a very different animal but it may help.

    802.11b (and 802.11a and 802.11g) are great. You loose the tether to your desktop. The problem is, how do you secure your network so that your users can still use your network without having to jump through hoops.

    WEP used to be the answer. WEP is insecure and dead. Cisco have an excellent security suite, but if you're a small company then the cost of investing in the additional components may be prohibitive. If this is your case then WPA (Wi-Fi Protected Access) is the solution for you. It has two modes it can be used in, pre-shared key mode and dynamic key mode.

    I look down on pre-shared key mode. It requires you to manually enter a key on every wireless machine, and if the key is ever discovered you have to change it on every access point and every machine. It really is only good on the smallest of networks. The dynamic key approach requires two digital certificates to be installed on each workstation. After that, you do nothing. Security keys are dynamically generated per user per session. If a machine gets stolen, you simply invalidate those two certificates on your server and your network is secure again. No more pain.

    If you have Microsoft Small Business Server 2003 (or Windows Server 2003) then you can use the more secure easier to manage dynamic mode. Note that you can not do this with Windows 2000 server. You will also need a Cisco 350 Access Point series or better (1100 series, 1200 series, etc). If you have Cisco ACS, please use that instead. Cisco ACS is easy to setup compared to using SBS2003. However, you're reading this article because you probably don't have Cisco ACS. The client used in this article was Windows XP. I believe Windows 2000 Professional also supports WPA - providing you download the WPA patches from Microsoft.

    There are many steps in getting a working SBS 2003 WPA setup going. Most steps are essential, and the setup won't work at all if it is not done. This guide tries to cover all the major points and gotchas, but is not an exact step by step guide. So you will have to have an inkling of what to do yourself.

    The major steps (clicking on these will scroll you down to the relevant section):

    1. Patches. Do a Windows Update on your server, your workstation, and make sure your Cisco wireless kit has up to date software on it. The Windows Updates are essential. There is a critical wireless patch that needs to be applied to Windows XP and Windows 2000 that will prevent the solution from working if not done.
    2. Install Microsoft Certificate Server. The WPA setup can only be used with certificates. You CAN NOT use username/password authentication (need Cisco ACS for the simpler username/password authentication).
    3. Install IAS (Internet Authentication Service) on your SBS 2003 server.
    4. Create a "Wireless Users" security group in Active Directory (not essential, but highly recommended).
    5. Create a "Wireless" access policy in IAS.
    6. Add your access point in as a RADIUS client.
    7. Configure you Cisco access point.
    8. Install two certificates on your machine. One for your machine account, and one for your user account. It is critical that both of these are installed.
    9. Configure the wireless settings on your workstation. Note that you CAN NOT use Cisco ACU to configure your settings. You must set it so that Windows XP/2000 does the configuration.
    10. Special notes for Intel Wireless NIC Users. You may have trouble connecting to WPA networks if you don't do this.
    11. Summary

    Patches

    The most critical patch to have on your workstations at the time or writing is KB826942. You will see it under Add/Remove Programs if you have it installed already. You can install it by using Windows Update, or by getting it directly from Microsoft. You will not be able to use WPA without this patch. It is critical. You should do a Windows Update on your SBS2003 server as well. It is also strongly recommend that you update your Cisco access points to the most recent software, as well as your wireless NICs.

    Patches - Update

    Windows XP SP2 contains all the patches you need. If you have Windows XP SP2, you don't need to install any patches.

    Install Microsoft Certificate Server

    The general click path on the server is:

    1. Start
    2. Control Panel
    3. Add or Remove Programs
    4. Add/Remove Windows Components
    5. Tick "Certificate Services" if it isn't already.
    6. Follow your nose when answering the questions. Probably best to make yourself an Enterprise CA, since this is a simple AD structure (you're a small company, right?)

    Install IAS (Internet Authentication Server)

    Don't get this confused with ISA. Where using IAS - and they have nothing to do with each other. The general click path on the server is:

    1. Start
    2. Control Panel
    3. Add or Remove Programs
    4. Add/Remove Windows Components
    5. Networking Services
    6. Details
    7. Tick "Internet Authentication Service", if it isn't already.
    8. Click "Okay" lots of times.

    Create a "Wireless Users" security group

    The general click path on the server is:

    1. Start
    2. All Programs
    3. Administrative Tools
    4. Active Directory Users and Computers
    5. If you're running SBS2003 navigate to "MyBusiness" and then "Security Groups". If you have Windows 2003 server then navigate to "Users".
    6. Right click, and select "New" and then "Group".
    7. Type "Wireless Users" for the group name.
    8. Set the scope to Universal.
    9. Now the REALLY important bit. Add both the users who you want to have wireless access AND (I repeat AND) their machines. To see machines, click the "Add" button, and then "Object Types", and make sure that "Computers" is ticked. This is critical, repeat CRITICAL.

    Create a "Wireless" access policy

    This is done in IAS. The general click path is:

    1. Start
    2. All Programs
    3. Administrative Tools
    4. Internet Authentication Service
    5. Remote Access Policies
    6. Right click, "New Remote Access Policy"
    7. Next
    8. Use the wizard to setup a typical policy for a common scenario.
    9. Type "Wireless Access" for your policy name.
    10. Next
    11. Wireless
    12. Select "Group", click "Add".
    13. Type "Wireless Users", and lick "OK".
    14. Next
    15. Change the "Authentication Method" from "PEAP" to "Smart Card or other certificate". This is critical.
    16. Click "Configure", and select the certificate that you originally created when installing your certificate server. You will probably only have one option.
    17. OK
    18. Next
    19. Finish
    20. Double click on your new "Wireless Access" policy.
    21. Edit Profile
    22. Tick "Minutes client can be connected", and set it to "10".
    23. OK
    24. OK

    Add your access point in as a RADIUS client

    This is done in IAS. The general click path is:

    1. Start
    2. All Programs
    3. Administrative Tools
    4. Internet Authentication Service
    5. RADIUS Clients
    6. Right click, "New RADIUS Client"
    7. Type a name for your access point.
    8. Type the IP address of your access point.
    9. Next
    10. Change "Client-Vendor" from "RADIUS Standard" to "Cisco".
    11. Type in a "Shared secret" (password) to be used between the RADIUS server and the access point. Note this down, because you will have to configure this on the access point as well.
    12. Finish

    Configure you Cisco access point

    This is done via your WWW browser. Make sure your running an IOS based access point (you will be unless you have had it for quite sometime). General summary of settings. You need to use "Open Authentication with EAP", "TKIP" for your encryption, and set up everything to use VLAN1. If this is a new access point, run the "Express Setup" first. The general click path is:

    1. Security
    2. Server Manager
    3. Under "Corporate Servers" enter the IP address of your IAS server.
    4. In "Shared Secret" enter the password I said to note down above when configuring IAS.
    5. Apply
    6. Under "Default Server Properties", set "EAP Authentication" "Priority 1" to your IAS server.
    7. Apply
    8. SSID Manager
    9. Type in your SSID (what your access point will be known as), and enter a VLAN of "1".
    10. Under "Authentication Methods" click "Open Authentication" and select "with EAP" from the drop down box.
    11. Under "Authentication Key Management" set "Key Management" to "Mandatory" and tick "WPA".
    12. Apply
    13. Encryption Manager
    14. Select "Cipher", and "TKIP". Don't use any of the other TKIP settings, CRITICAL. Use plain TKIP.
    15. Apply

    Install two certificates on your machine

    This bit gets done on the workstation. It is CRITICAL that you add both a machine certificate and a user certificate. The general click path is:

    1. Start
    2. Run
    3. MMC
    4. File
    5. Add/Remove Snap-In
    6. Add
    7. Certificates
    8. My User account
    9. Finish
    10. Add
    11. Computer Account
    12. Next
    13. Finish
    14. Close
    15. OK
    16. Go to "Certificates - Current User"
    17. Personal
    18. Certificates
    19. Right click, "All Tasks", "Request New Certificate"
    20. Next
    21. Select a "User" certificate.
    22. Next
    23. Type a name you would like the certificate known by, such as your username.
    24. Finish
    25. Now repeat this process for "Certificates (Local Computer)", but give the certificate a friendly name similar to that of the machine's name.

    Configure the wireless settings on your workstation

    A really CRITICAL bit. If you have Cisco ACU installed, you MUST tell it to allow windows to configure the wireless settings. Repeat, this is CRITICAL. You can still use ACU to monitor your wireless connection, you just can't use it to configure the wireless settings. So if you have ACU installed the general click path is:

    1. Start
    2. All Programs
    3. Cisco Systems
    4. Aironet Client Utility (ACU)
    5. Select Profile
    6. Use Another Application to Configure My Wireless Settings
    7. OK

    Now we need to configure the Windows wireless settings. The general click path is:

    1. Start
    2. Connect To
    3. Show all connections
    4. View
    5. Details
    6. Right click on your "Wireless Network Connection".
    7. View Available Wireless Networks
    8. Advanced - DO NOT CLICK ON CONNECT
    9. Make sure "Use Windows to configure my wireless network settings" is ticked.
    10. You should be able to see your wireless network. Reboot if you can't. Click on "Configure".
    11. Set "Network Authentication" to "WPA".
    12. Set "Data Encryption" to "TKIP".
    13. Click on the Authentication tab.
    14. Make sure "Authenticate as computer when computer information is available. CRITICAL.
    15. Set "EAP Type" to "smart Card or other Certificate".
    16. Properties
    17. Under "Trusted Root Certificate Authorities" find the certificate for your certificate server, and tick it.
    18. OK
    19. OK
    20. OK

    Under the "Status" column in "Network Connections" you should see the wireless connection progressing through several stages. When all is going correctly the status should be "Authentication succeeded". If you've just finished all of the workstation configuration above you may need to do a reboot before it starts working correctly.

    Special notes for Intel Wireless NIC Users

    Intel NICs have trouble associating to Cisco access points that have legacy world domain mode turned on. This may prevent you from connecting to the network, or may allow you to connect intermittently. If you have Intel NICs refer to this article from Intel and Cisco.

    Summary

    Congratulations, you should now have a wireless connected workstation that has secure access to your wired network. If you haven't, make sure you've done all the critical steps. Check the event log on the SBS2003 server (particularly look at any IAS events), and check the event log on the access point.

    Tuesday, February 23, 2010 11:49 AM
  • I am still looking for an answer to this issue. The above reference is unfortunately not a good guide for setting this up in SBS2008. My issue is still with the certificates. I can duplicate the certificate but SBS2008 can't see or use version 2 certificates and all the version 1 certificates on the system are not for use with 802.1x. If anyone has found an answer to this or has any more information, please let me know.

    Thanks.
    Thursday, March 4, 2010 1:30 AM
  • Thanks Nice step by step guide,

     

    Please can you give this step by step guide for Windows Server 2008. 

     

    Thnaks

    Wednesday, April 28, 2010 6:20 AM
  • This post is a little old, but we just literally did the samething, except with PEAPv1, pain in the butt, so hopefully this helps any others looking for guidance cause there isn't much out there for 802.1x.

    First thing you should know. You don't need NAP, you need NPS. Sounds like your needs are going to be PEAPv0 (Peap with MSCHAPv2). Your users will be authenticated via username/pw.

    NAP is used for health check, I.E. you want machines to have patches updated, anti-virus updated, if not they are quarntined.

    NPS is the new name for IAS from 2003. You will have to configure a radius server, which is just installing the NPS role. You will have to configure your APs for radius/802.1X, I am not sure the configs on the 1200 series. I have only done this with a wireless lan controller. I am sure cisco has plenty of docs on it though.

    Once NPS is installed and you have APs configured for EAP. Configure radius clients in NPS, add the APs that will be acting the authenticator role there. Then create a "connection request policy" in the NPS MMC. The easiest way is to click on NPS in the mmc and go through the wizard. One key thing is on the conditons pane, only select NAS port type IEEE 802.11 and other wireless. The more condintions you incorporate the more stringet it will be.

    Once the wizard is completed, look under the "connection request policy" select your new policy go to settings tab and click the over ride network policy authentication box.

    In settings on the connection request policy Click on authentication and select PEAP, then use MSCHAPv2. You will have to vaildate server cert, make sure your workstations have the server cert you choose to be used.

    When you configure the supplicant software on the workstations, they will have to match this policy. I would reccommend using windows native software, Wireless zero configuration (WZC)

    You can either setup a Group policy to push this wireless profile or go individually to each machine.

    If you want users to be able to login without having cached credentials you will have to setup machine authentication. If you need help with that let me know.


    "I wish I knew"
    Friday, November 19, 2010 7:41 PM
  • I just looked at this post again and saw the new response. If you can, I would like to find out how to do machine authentication as well. I am redesigning a network for a business now and would really like to use 802.1x so I look forward to using the steps you already provided to attempt the setup.

     

    Thanks.

    Friday, January 28, 2011 10:41 PM
  • Hi dfd1125

    I read your initial post and u mentioned you "don't want to use certificates but would rather use the AD credentials for each user as an authentication mechanism".. you want to implement 802.1x with PEAP-MSCHAPv2 but without using certificates. If you have already gone through the process of configuring your NPS with the relevant Connection Request policies and Network Policies using the steps outlined by Bryce_127, then all thats left to connect without certificates is to go to the client machine, navigate to the wireless propeties for the SSID which you want to implement 802.1x, navigate to the Protected EAP properties and DE-SELECT "Validate Server Certificate" and make sure the selected Auth Meth is Secured Password (EAP-MSCHAP V2) this way your clients will be able to connect using only thier AD credentials and not having to validate the server certificate, which means you dont even have to install certs on their machines, BUT it would be advisable to use certificates in case of rogue radius servers, but i hope this answers your first question.


    tech-nique
    Sunday, January 30, 2011 11:42 AM
  • Reading through this thread, I didn't see anyone comment on the v2 certs, or rather the ability to create a v2 cert from a template. The one thing about SBS CA is it's based on Windows 2008 Std Edition, which means it doesn't have the ability to create a v2 cert. To do this, you would need a CA installed on either Windows 2003 Ent, Windows 2008 Enterprise, or Windows 2008 R2 Std or Ent.

    I cannot select a V2 or V3 template when enrolling for a certificate
    http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/9456ab90-f6ba-45a3-99b1-748d8cfeda59

    2008 Web Enrollment and Version 3 Templates
    http://blogs.technet.com/b/ad/archive/2008/06/30/2008-web-enrollment-and-version-3-templates.aspx

    If you use Windows 2008 Server R2 you do not need Enterprise edition in order to issue certificates based on custom (v2/v3) templates. However, if you need the web enrollment feature, you'll need the Enterprise Edition.
    http://blogs.technet.com/b/pki/archive/2009/09/03/active-directory-certificate-services-features-by-sku.aspx

    Ace


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services

     

     

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Sunday, January 30, 2011 7:09 PM
  • dfd1125

    Are you planning on using machine authentication with wireless devices or wired? Cause
    there will be a difference in the way you setup your policies on NPS. With wired its pretty easy to configure. With wireless the cool thing is you can setup machine auth to act like a "wired" connection. 

    Example: New user, never logged onto machine before, but machine has been added to domain. Without mach auth on wireless...user can not logon...wireless doesn't connect until a login. Well you can configure the WLAN service to connect via EAP/profile using machine cert, now LDAP request (user auth/pw) can be sent via the machine auth connection which connects during boot up, ususally around the windows screen. So you do not need cached  credentials. PRetty sweet thing. 

    Quick comment on server certs, they are not required depending on your flavor of EAP, but if you decide to use PEAP with EAP-TLS server cert is required, because that is what is used to negotiate the TLS. Great book is "certified wireless security professional" it will show you a packet by packet break down of how the exchanges/tunnels are made through all versions of EAP.

    Bryce

    "I wish I knew"
    Monday, January 31, 2011 9:05 AM
  • I am suffering from a similar problem. I dont know if this would help at all but your welcome to view the video i made to try and set this up. it doesnt work, but it may help you identify something. you can find my existing thread at the link below, and if you have an answer to my situation id be very grateful.

    http://social.technet.microsoft.com/Forums/en-US/smallbusinessserver/thread/edc101a5-8ffb-4020-b1f9-d1bcc2a5cc11

    thank you

    Friday, February 4, 2011 4:07 PM