locked
Wireless Access Point & Server 2008 Std. NPS (Network Policy Server) RRS feed

  • Question

  •  

    Wireless Access Point & Server 2008 Std. NPS (Network Policy Server)

     

      I am looking for direction in the configuration of this whole new package Microsoft has created which replaces IAS.  I have worked with Microsoft IAS server in limited situations and am looking to leverage the capabilities and grow a better understanding of how to configure its replacement to better secure my Wireless network.  If you could help direct me in the configuration of this setup which could apply to any RADIUS capable WAP device it would be greatly appreciated.  Below I have stated my current configuration and specifically what I am looking to accomplish.

     

    *IP addresses are only for example purposes and are not actually used IP’s

     

    Current Configuration:

    ·         Server 2003 SP2 DC with DHCP, DNS, WINS, and AD

    ·         Server 2008 with NPS and Domain Certification Authority

    ·         HP ProCurve 420 Wireless Access Point

    ·         Core switch with VLans assigned and all devices mentioned connected

    ·         Two networks Guest and Private

    ·         Guest VLan has internet access only, network 7.7.0.0/24

    ·         Private VLan has corporate & internet access, network 7.7.1.0/24

    ·         Networks separated via VLans, no routing between VLans, each internet connections behind its own firewall.

    ·         ProCurve 420 WAP Ethernet Port is part of both VLans

    ·         WAP added to the NPS RADIUS Clients with the following settings; IP:7.7.1.3, Device Manufacture: RADIUS Standard, NAP-Capable: No, Status: Enabled, Shared Key: Manually Entered

     

    What I am looking to accomplish:

    ·         Authenticate users connecting to the WAP via NPS

    ·         Dynamically assign wireless users to Guest VLan, if user authentication is successful then dynamically assign that wireless user to Private VLan.

     

    What I need Assistance / Direction with:

    ·         Configuration of the Policies on the Network Policy Server (NPS)

     

    Thank you for any help you may provide as well as working towards a useful how-to that others may reference!

    Thursday, September 4, 2008 6:21 PM

Answers

  • Hi Yoko,

    I believe what you will need to do is configure the AP to place users on the guest VLAN by default, either using a guest VLAN or default VLAN feature. Since these users don't authenticate via RADIUS, that particular part of the configuration wouldn't be on NPS.

    Computers that authenticate successfully can be controlled with NPS. These would match a connection request policy and move on to match one of your network polices (previously remote access policy). In the network policy, you would have a condition such as user group or time of day, and then apply the settings to place the user on the private VLAN. Settings would utilize the Tunnel-Pvt-Group-ID atrribute to place them on the VLAN.

    The simplest way to configure these policies is to use the wizard in NPS. Click on NPS in the console and under standard configuration select RADIUS server for 802.1X wired and wireless connections. Click configure 802.1X and answer the questions.

    Let me know if this works for you.

    Thanks,
    -Greg
    Friday, September 19, 2008 12:37 AM

All replies

  • Hi Yokomoto,

    I read your post, and it looks like we're working towards the same thing. We are currently using Juniper Radius boxes because Radius on 2003 did not support EAP-TTLS. We've been told that NPS does.

    I'm just waiting on a reply for a question I asked on whether when you authorise an NPS server in a 2003 AD-based environment, it makes any changes or modifications to the AD schema. Do you know?

    Anyway, as soon as I get this question answered, I will start tests, and maybe we can work together :)

    Best rgds,
    Ant
    Tuesday, September 9, 2008 10:50 AM
  • Hello Ant,

      I have my NPS running in a Server 2003 level forest and domain with DC's all running R2 with SP2.  Schema changes are only needed if there is a 2008 DC installed being installed, I added the NPS Role and Certificate server to the same server without any Schema changes needed.  I know the certificate role is working without any issues however I cannot attest for NPS because I have yet to get it up and running with my WAP.  It looks like you and I are the only one's attempting this because I have 7 posts on different forums with no responses.  Nothing like being on the bleeding edge of technology!

    Look forward to collaborating with you!

       Yoko

    Tuesday, September 9, 2008 2:43 PM
  • Hi again Yoko,

    Thanks for your feedback regarding the schema. I'll get onto our Enterprise boys and once I get it integrated into AD I'll get back to you. The I'll have a functioning UAT instance!

    Give me a couple of days to get through the red tape.

    Are you using NPS to control WIFI authentication to your DC's? This is my goal, to set it up with a domain-level certificate, EAP-TTLs and MS-CHAP v2.

    Nothing too sticky. Juniper took 10 minutes to set up!

    Cheers,
    Ant
    Tuesday, September 9, 2008 3:16 PM
  • Ant,

      So long as the system is a member of the domain that contains the NPS Roles it should have access to the AD for user account lookups.  I too am looking to auth user to my dc, Basically i will have them in a dead end vlan that goes no where and has access to the NPS & DHCP.  once the user is auth then they will be placed in the production VLAN, if they are auth differently they will be placed in an internet access only VLan for general use.  Pretty straight forward however this NPS has lot in the way to quickly configure it for our limited needs.

      Yoko
    Tuesday, September 9, 2008 3:47 PM
  • Hi Yoko,

    I've finally got it into the domain this morning, and I've started some tests without success :(

    I'm going to set up a new thread, and also start trawling the info in the NPS resources in Technet.

    Again, sounds as if we're pretty much trying to achieve the same goal.

    Here's what I'm trying to set up, which is working with Juniper backends.

    Windows XP SP2 Client > CISCO Aironet 1131 AG Access Point ---- AES-CCMP
    Access Point > NPS ---- EAP-TTLS and EAP-MSCHAPv2
    NPS > Windows 2003 Domain Controller ---- MSCHAPv2

    There is a certificate installed on both the client and the NPS server from a local CA.

    So, here is my lab set up. Now I need to see if NPS works with this standard.

    What are you using exactly?

    Cheers,
    Ant
    Wednesday, September 10, 2008 10:51 AM
  • Another thing I've seen, do you need to use the dial-in property of an AD account if you're only using the RADIUS authentication for WIFI AP's????
    Wednesday, September 10, 2008 11:03 AM
  • Hi Yoko,

    I believe what you will need to do is configure the AP to place users on the guest VLAN by default, either using a guest VLAN or default VLAN feature. Since these users don't authenticate via RADIUS, that particular part of the configuration wouldn't be on NPS.

    Computers that authenticate successfully can be controlled with NPS. These would match a connection request policy and move on to match one of your network polices (previously remote access policy). In the network policy, you would have a condition such as user group or time of day, and then apply the settings to place the user on the private VLAN. Settings would utilize the Tunnel-Pvt-Group-ID atrribute to place them on the VLAN.

    The simplest way to configure these policies is to use the wizard in NPS. Click on NPS in the console and under standard configuration select RADIUS server for 802.1X wired and wireless connections. Click configure 802.1X and answer the questions.

    Let me know if this works for you.

    Thanks,
    -Greg
    Friday, September 19, 2008 12:37 AM
  • Hi Yoko,

    How did you go with this??? if you have it working now, can you please tell me how you did it.... step by step..

    I am having all sorts of trouble with this.
    Monday, October 12, 2009 2:46 AM
  • Last week I setup and implimented my first server 2008. I love it so far. Now the CEO wants me to install 3 wireless access points that will give network access to domain users as well as internet only access to venders and subcontractors in the building. The current wireless router will be removed.

    Since it sounds like you have already done this I would greatly appreciate an "instruction manual" or "NPS for dummies" type breakdown of what you did as my certs were all on Server NT and novell and I have been learning on the fly for over 10 years now. :-( not fun!

    Also, even though I set dial up access to Allow for the 3 executives accounts, the only one that can currently VPN or remote desktop to the server from the internet is the Administrator account. Do I need to set routing and remote access rules before administrative users other than the Admin can log in remotely? Or did I do something wrong.

    Thanks,

    Andrew


    I can fix that 4 U
    Thursday, October 7, 2010 2:09 AM