In part 1, we started to walk through deploying a 801.x wireless network. In this article, we will look at configuring the Network Policy Server (NPS) role, the access points, and finally pushing out the settings to clients via Group Policy.
We already started to set up our 802.1x wireless network, by installing certificate services and enrolling our NPS server. We now have to configure our ‘Network Policy Server’. We can do this by opening the NPS frontend which you can find in the Administrative Tools folder.
The first thing to check is that NPS has been registered in Active Directory – right click the root NPS node and if it isn’t greyed out, click ‘Register server in Active Directory’. We can now start the NPS wizard, by clicking on the NPS root node, then from the main area, selecting ‘RADIUS Server for 802.1x wireless’ from the pulldown menu, then clicking the ‘configure 802.1x’ link below it.
Network Policy Server – RADIUS configuration
From the next window, we want to select wireless connections, and enter a descriptive name for the policies the wizard will create within NPS. Once we have entered this information, we need to set up a RADIUS client. All your access points will be RADIUS clients (provided that they support this). You will need to supply a friendly name (I used the access point’s hostname) and also its IP address.
Next, we have to supply a shared secret that is common for all access points and the NPS server. The main point is that users will never have to deal with the shared secret. On the first RADIUS client, you can use the ‘generate option’. Make sure to take a note of the generated key.
Generate the shared secret for NPS and RADIUs clients
On the next screen, we should choose MS Protected EAP (PEAP). The following screen in the wizard is of interest, as it will allow you to fine-tune who or what has access to your wireless network. I initially added ‘Domain Users’ and ‘Domain Computers’, however, this would allow employees to join untrusted devices onto our network by entering their AD username & password. In the end I opted for keeping ‘Domain Computers’ to ensure that all managed devices can connect. Then I created an Active Directory group ‘Allowed Wi-Fi users’, so IT can easily allow certain users access by adding them to an AD group.
The good thing about adding domain computers at this stage is that the wireless connection will be established before a user has logged on. This allows users who don’t have cached credentials to log on and you can manage a system remotely while it is sat at the login screen.
Once you have finished the wizard, you should restart the NPS server. NPS is now ready to start authenticating clients, so we move onto the configuration of our access points. Most access points are configured using a web based interface, as mentioned earlier. I’m using a Cisco WAP200. Once on the admin interface, I just navigated to the wireless security settings, selected WPA2-Enterprise, set the encryption to AES, entered the IP address of my RADIUS (NPS) server, and entered the shared secret that we made a note of earlier (You did take a note of it, didn’t you?)
Cisco WAP200 RADIUS configuration
At this point, clients should be ready to connect to the wireless network – I added my Active Directory user account to the ‘Allowed Wi-Fi users’ group and was then able to connect my iPhone after entering my Active Directory credentials and accepting the certificate we generated earlier.
When everything is working fine, I recommend deploying the settings to clients using Group Policy. You will find the required settings under Computer Settings > Windows settings > Security Settings > Wireless Network Policies. You can add additional access points to the RADIUS clients folder in the NPS frontend. Make sure to use the same shared secret as before.