none
Trouble with Windows 2008 R2 Std / NPS and Netgear WNDAP660-100NAS

    Question

  • Hello,

    I am having trouble with my setup.  My environment is as such:

    forest with 3 domains
    NPS is setup on a DC in one of the domains ( the same domain as my DHCP server is in and the Security Group - Universal is in for access condition )
    Setup a port on my L3 switch with it's own subnet specifically for these wireless connections ( which works as far as DHCP/DNS goes when connected with a wired PC to the Netgear Access Point )

    The RADIUS/NPS is setup correctly with the shared secret and the Netgear is setup as a RADIUS Client
    The Connection Request Policies's condition is just the value for the client friendly name which matches exactly in the RADIUS Client section
    The Network Policies's condition is just the security group mentioned above with me in it and the permission set to grant access.

    So the problem is once I try to connect to my Netgear AP using the WPA/WPA2 with RADIUS profile on my Windows 7 Pro 64-bit laptop I get prompted with this initial popup

    which I'm entering my domain credentials.  But then it pops up this and that's where I'm stuck.

    I can't seem to figure out what needs to go in here in order to complete my connection successfully.

    If I create a second profile on my Netgear AP which will use only WEP or WPA/WPA2 PSK everything works perfectly. Except of course they don't authenticate using their own unique network credentials and use a common password amongst all clients.

    Thank You


    mstoll

    Monday, January 28, 2013 9:16 PM

Answers

  • Hi Merrilee -

    When you deploy NPS, you create a Network Policy that allows the types of connections that you want. So you can create a wireless access Network Policy. When you do so, in the policy you must specify the authentication method that clients are allowed to use to connect to the network. The most secure authentication methods are those which are certificate-based, such as PEAP-MS-Chapv2 and EAP-TLS.

    To be able to use certificate-based authentication methods, you must deploy a certification authority (CA) using Active Directory Certificate Services, and you must configure certificate templates that the CA uses to create and issue certificates to NPS servers and, if you decide to use the most secure authentication methods (PEAP-TLS and EAP-TLS), to either client computers or users.

    One of the issues that you face is finding out whether the devices connecting to your network support these authentication methods.

    If you deploy PEAP-MS-CHAPv2, the only certificate that you need is on the NPS server. Clients/users are authenticated with password-based credentials, so you don't need to enroll certificates to all clients or all users. But with this authentication method you do have to install the CA certificate in the Trusted Root Certification Authorities store on each client, so that the client trusts the CA that issued the NPS server certificate.

    The following paper shows you how to deploy a CA and issue a server certificate:

    For Windows Server 2008 R2

    Core Network Companion Guide: Deploying Server Certificates, at http://technet.microsoft.com/en-us/library/dd772727(v=ws.10).aspx

    For Windows Server 2012

    Core Network Companion Guide: Server Certificate Deployment, at http://technet.microsoft.com/en-us/library/jj125379.aspx

    *****

    The following paper, which you can use after you deploy your CA using the paper listed above, shows you how to deploy wireless using PEAP-MS-CHAPv2:

    For Windows Server 2008 R2

    Core Network Companion Guide: Deploying Password-based 802.1X Authenticated Wireless Access, at http://technet.microsoft.com/en-us/library/ff919508(v=ws.10).aspx

    For Windows Server 2012

    Core Network Companion Guide: Deploying Password-based 802.1X Authenticated Wireless Access, at http://technet.microsoft.com/en-us/library/jj721726.aspx

    Thanks -


    James McIllece

    Wednesday, January 30, 2013 7:54 PM

All replies

  • IT depends on how you setup the certiicate. And I assume that you used a v2 cert, since Windows 2008 R2 Std offers it (prior STD editions didn't).

    FWIW, I compiled a whole 80.1x implementation with a Cisco AP and WIndows IAS, which is pretty much the same as NPS, albeit the GUI. I hope it helps.

    802.1x Wireless Implementation
    http://blogs.msmvps.com/acefekay/2012/09/28/802-1x-wireless-implementation/


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Tuesday, January 29, 2013 4:03 AM
  • So I guess my problem here is the certificate.  I didn't set up Certificate Services on the server.  With Certificate Services installed, how would that affect how users use for instance an iPad or Surface or any other mobile device in terms of connecting to the network ?

    I assume your link will run through setting up the Certificate Services.


    mstoll

    Tuesday, January 29, 2013 7:19 PM
  • Hi Ace,

    I have been reading through your document and being unfamiliar with Certificate Services, I am having trouble at a point in the document.  Page 8 states

    " To keep the CA website secure, request an SSL certificate from the new CA created above
    Create a web server certificate request (SSL) for the default website within IIS and saved it to a file such as c:\iis certnew.cer"

    Where do I go to do that ?

    Thank You for your time.


    mstoll

    Wednesday, January 30, 2013 7:48 PM
  • Hi Merrilee -

    When you deploy NPS, you create a Network Policy that allows the types of connections that you want. So you can create a wireless access Network Policy. When you do so, in the policy you must specify the authentication method that clients are allowed to use to connect to the network. The most secure authentication methods are those which are certificate-based, such as PEAP-MS-Chapv2 and EAP-TLS.

    To be able to use certificate-based authentication methods, you must deploy a certification authority (CA) using Active Directory Certificate Services, and you must configure certificate templates that the CA uses to create and issue certificates to NPS servers and, if you decide to use the most secure authentication methods (PEAP-TLS and EAP-TLS), to either client computers or users.

    One of the issues that you face is finding out whether the devices connecting to your network support these authentication methods.

    If you deploy PEAP-MS-CHAPv2, the only certificate that you need is on the NPS server. Clients/users are authenticated with password-based credentials, so you don't need to enroll certificates to all clients or all users. But with this authentication method you do have to install the CA certificate in the Trusted Root Certification Authorities store on each client, so that the client trusts the CA that issued the NPS server certificate.

    The following paper shows you how to deploy a CA and issue a server certificate:

    For Windows Server 2008 R2

    Core Network Companion Guide: Deploying Server Certificates, at http://technet.microsoft.com/en-us/library/dd772727(v=ws.10).aspx

    For Windows Server 2012

    Core Network Companion Guide: Server Certificate Deployment, at http://technet.microsoft.com/en-us/library/jj125379.aspx

    *****

    The following paper, which you can use after you deploy your CA using the paper listed above, shows you how to deploy wireless using PEAP-MS-CHAPv2:

    For Windows Server 2008 R2

    Core Network Companion Guide: Deploying Password-based 802.1X Authenticated Wireless Access, at http://technet.microsoft.com/en-us/library/ff919508(v=ws.10).aspx

    For Windows Server 2012

    Core Network Companion Guide: Deploying Password-based 802.1X Authenticated Wireless Access, at http://technet.microsoft.com/en-us/library/jj721726.aspx

    Thanks -


    James McIllece

    Wednesday, January 30, 2013 7:54 PM
  • Hi James,

    I am unfamiliar with Certificate Services.  Are certificates mandatory for my intended deployment ?  My sole objective is to authenticate wireless clients by using their domain credentials whether the client device is a member of our domain or not.  We have people that would connect using their various tablets/smartphones/laptops. And to that end, what choice would I need to select in the access point.

    Thank You


    mstoll

    Wednesday, January 30, 2013 8:25 PM
  • If you don't have a CA or want to go that route, it is possible.

    Did you create an AD group and allow that in the NPS policy? Maybe the following thread and discussion will provide more info on non-CA RADIUS wireless auth:

    802.1x wireless autentication without certificate
    http://www.experts-exchange.com/Networking/Windows_Networking/Q_27700299.html

    If not able to view the thread and it prompts you to login, simply copy the link above, paste it in a Google or Bing search, then click on the first result. The search referral will put you right into the thread.


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Wednesday, January 30, 2013 8:50 PM
  • Hi Ace,

    I'm not sure what I'm doing wrong.  I just installed Windows 2008 R2 Std on a server. Then ran all the windows updates. I joined it to my domain.  Then added the roles Active Directory Certificate Services, Network Policy and Access Services, and Web Server (IIS). Then tried again to connect to the AP using this server as the RADIUS server and I still get that second pop-up.  Could we talk this through a bit together ?  I don't understand why it doesn't work.

    Thank You


    mstoll

    Thursday, January 31, 2013 8:28 PM
  • Hi Merrilee -

    What authentication method did you decide to use?

    If you're using a solely password-based authentication method, you don't need AD CS. If you decided to use one of the certificate based methods, did you configure AD CS to autoenroll certs to NPS servers, and then configure network policy in NPS?

    Thanks -


    James McIllece

    Thursday, January 31, 2013 8:44 PM
  • Hi Ace,

    Sorry for the delay in responding.  What I did was build an ESXi 5.1 server and install a Win2K8 server VM on it. I ran all windows updates and then joined it to our domain.  After that I added the roles of Certificate Services, NPS, & IIS.  I configured the NPS to grant permission based on a domain group's membership and used PEAP authentication in the Network Policies under EAP Types.  When I click on edit for PEAP I added EAP-MSCHAP v2

    So now this is the current situation.  I can access our network via iPad/iPhone/Android utilizing the Netgear AP and using my new RADIUS server without any issues.

    However, my freshly formatted Windows 7 laptop still prompts me for the second popup listed above ( EAP-TTLS ) and a Blackberry Bold asks me for the CA Server and I believe only allows me to choose from a predefined list.

    So my problem remains, How can I get the laptop to stop asking me the second set of credentials ?  My guess is that the Apple/Android mobile devices likely don't support a higher(??) level of authentication so they join successfully by perhaps falling back to a lesser level.  The Windows 7 laptop likely does support the higher level of authentication that the AP/RADIUS Server is requesting and hence prompting me for it.  That is my speculation, but how do I get past this ?


    mstoll

    Wednesday, February 06, 2013 6:11 PM
  • Hi James,

    Sorry for the delay in responding.  What I did was build an ESXi 5.1 server and install a Win2K8 server VM on it. I ran all windows updates and then joined it to our domain.  After that I added the roles of Certificate Services, NPS, & IIS.  I configured the NPS to grant permission based on a domain group's membership and used PEAP authentication in the Network Policies under EAP Types.  When I click on edit for PEAP I added EAP-MSCHAP v2

    So now this is the current situation.  I can access our network via iPad/iPhone/Android utilizing the Netgear AP and using my new RADIUS server without any issues.

    However, my freshly formatted Windows 7 laptop still prompts me for the second popup listed above ( EAP-TTLS ) and a Blackberry Bold asks me for the CA Server and I believe only allows me to choose from a predefined list.

    So my problem remains, How can I get the laptop to stop asking me the second set of credentials ?  My guess is that the Apple/Android mobile devices likely don't support a higher(??) level of authentication so they join successfully by perhaps falling back to a lesser level.  The Windows 7 laptop likely does support the higher level of authentication that the AP/RADIUS Server is requesting and hence prompting me for it.  That is my speculation, but how do I get past this ?


    mstoll

    Wednesday, February 06, 2013 6:12 PM
  • Did you install the certificate, Root cert, and intermediate certificate on the client and NPS server?

    You may also need to install it into the NTAuth store. TThe point is the intermediate and Root certs need to be installed on every device between the client and DC.

    Read a similar thread for more info:

    Windows Server 2008 R2 VPN connection problems (User certificate authentication)
    http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/11320b4c-1966-48a4-a8fb-d528702f1dad/

    .


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Thursday, February 07, 2013 1:06 AM
  • Hi Ace,

    What I guess I'm trying to say is that I'm not very familiar with setting up a RADIUS server and Certificate services.  Can we step back for a moment and sort of create a checklist of actions I need to complete. 

    As far as answering your question above regarding " Did you install the certificate, Root cert, and intermediate certificate on the client and NPS server? " The answer is, I don't know.  Is there a specific action I need to undertake in order to complete that ? Or is simply installing those roles on my server performing what you are asking.  How can perform what you are saying ?

    My goal was to setup a wifi AP that would authenticate wireless devices via domain username/password to gain access to the wifi network.  I hadn't planned to utilize certificates in my setup but if its mandatory, then can we talk this through from the beginning ?


    mstoll

    Thursday, February 07, 2013 3:44 PM
  • Hi Merrilee -

    Using certificates is not mandatory. You can use MS-CHAPv2 if you want to - it just isn't as secure as a certificate based auth method.

    To use MS-CHAPv2, just enable that auth method only in your network policy in NPS. I believe all MSFT clients will automatically use that method when NPS requests it, but I don't know about third party products.

    If you do want to use PEAP-MSCHAPv2, which employs a server certificate only, the overview of the process is:

    Install NPS and configure your network access servers (such as access points) as RADIUS clients in NPS, and do other basic NPS configuration per the documentation, such as register the server in Active Directory and configure your logging preferences.

    The process of configuring NPS and RRAS server certificate enrollment occurs in these stages (detailed procedures are here: http://technet.microsoft.com/en-us/library/dd772714(v=ws.10).aspx ) :

    • Install the AD CS server role. This step is required only if you have not already deployed a certification authority (CA) on your network.
    • Configure a server certificate template. The CA issues certificates based on a certificate template, so you must configure the template for the server certificate before the CA can issue a certificate.
    • Configure server certificate autoenrollment in Group Policy. When you configure autoenrollment, all servers running NPS, RRAS, or both on your network will automatically receive a server certificate when Group Policy on the server is refreshed. If you add more servers later, they will automatically receive a server certificate, too.
    • Refresh Group Policy on servers running NPS and RRAS. When Group Policy is refreshed, the servers receive two certificates. One certificate is the server certificate, which is based on the template that you configured in the previous step. This certificate is used by the server to prove its identity to client computers that attempt to connect to your network. The other certificate is the CA's certificate, which is automatically installed in the Trusted Root Certification Authorities certificate store. The server uses this certificate to determine whether to trust certificates it receives from other computers. For example, if you deploy EAP-TLS, client computers use a certificate to prove their identities to the server running NPS. When the server receives a certificate from a client computer, trust for the certificate is established because NPS has the issuing CA certificate in its own Trusted Root Certification Authorities certificate store.

    Keep in mind that all clients must trust the CA that you deployed. To create that trust, import the CA certificate to the Trusted Root Certification Authorities (TRCA) store on clients. The easiest way to do this, if they are domain members, is to connect them to your network with an Ethernet cable. If the computer is domain joined, the CA certificate will automatically be installed in the TRCA certificate store on the client.

    If you have third party clients or clients that you can't plug in to the network, you'll need to export the CA cert to a flash drive (or other media) and then import the cert from the Certificates console on the client. (To access that console, type "mmc" in command prompt and press Enter, then add the Certificates snap-in to the Microsoft Management Console for both the Local Computer and the Current User, then import the cert from media.)

    Hope that helps -


    James McIllece

    Thursday, February 07, 2013 8:29 PM
  • James, excellent summary.

    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Friday, February 08, 2013 3:45 AM
  • Hi James,

    We don't want to use certificates if we don't have to.  So I believe I have setup MS-CHAP v2 as you suggested.  See pic below

    And when I try to connect with my Windows 7 laptop it still pops up that second EAP-TTLS pop-up.

    Have I missed something ?


    mstoll

    Friday, February 08, 2013 4:09 PM
  • When you clicked Add, did PEAP show up?

    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Saturday, February 09, 2013 1:54 AM
  • Hi Ace,

    I clicked on "add" for the "EAP Types" and chose PEAP as you suggested.  Is this the only remaining step ?

    Thank You


    mstoll

    Monday, February 11, 2013 7:47 PM
  • Not sure if you missed anything else. Did it work?


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Monday, February 11, 2013 8:08 PM
  • Hi Ace,

    Not sure if I need to restart any services or not. The ipads/iphones/androids/blackberrys/surfaces connect without any issue

    My freshly installed windows 7 pro laptop that wasn't joined to my domain still popped up that second authentication; the one for EAP-TTLS.

    Not sure if this is the solution or a workaround, but from here I went to my RADIUS server and exported a certificate and installed it to my laptop and now after attempting to connect using my domain username/password it gives me a warning of some kind with the options to terminate or connect. If I choose connect I can connect.  This I am guessing is a big step, however I am guessing if someone where to come in from another company with a locked down laptop, they may not be able to install certificates. 

    I can feel we are close, but it still pops up without doing that certificate install.  I'm guessing it is giving me that terminate/connect option since the cert is a self signed type ?!?!  Do you think there is a way to purchase a verisign/thawte certificate so that it doesn't ask and would just trust and connect ?

    Thank you for so much of your time.

    I really appreciate it.


    mstoll

    Monday, February 11, 2013 9:26 PM
  • I thought you had exported and imported the cert prior to this? Nonetheless, glad you did that. The warning indicates the cert came from an untrusted CA your internal CA, which is why it works with a joined machine. What we need to do is purchase a cert from a public CA, such as DigiCert, Verisign, GoDaddy, etc. Otherwise, you would have to import the cert for non members. Another way around it is to get a hold of the SBS cert installer, if you know someone with SBS, or email it to the user prior to them connecting, ans all they would have to do is double click on it to install.

    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Monday, February 11, 2013 10:20 PM
  • Hi Ace,

    I will look into getting a cert from a public CA.  What kind am I looking to buy ?  I went to thawte and they have a whole laundry list to choose from.

    Thanks again


    mstoll

    Tuesday, February 12, 2013 3:14 PM
  • You would need a v2 cert purposed to identify a machine & user account. The user account is optional, but that's what I would choose. I'm not sure what the pricing would be and suggest to shop among the CAs for best pricing.

    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Wednesday, February 13, 2013 4:44 PM
  • Hi Ace,

    I looked at getting a cert from a public ca but i'm not having much luck. Could you provide me a direct link to what I need please ?

    Thank you once again


    mstoll

    Tuesday, February 19, 2013 5:12 PM