- How to add holidays to the Exchange calendar with PowerShell - Wed, Apr 23 2014
- How to change the domain name in Exchange Server 2010 - Tue, Apr 8 2014
- How to enable Unsolicited Remote Assistance in Windows 7 / 8 - Tue, Oct 1 2013
Benefits of using 802.1x for Wi-Fi authentication
If you’re running Wi-Fi to provide access to you enterprise, you need to ensure that it is as secure as possible, and also keep access to the wireless network manageable. At home you probably use a pre shared key (PSK) to grant/restrict access to the wireless network, while this is fine for a network with only a handful of client devices, we need something a bit more durable in the enterprise – Imagine having to change the key on 100+ workstations when a disgruntled employee leaves your business! Using 802.1x / WPA2-Enterprise technology we can control access to our wireless network in a much more granular fashion, by selecting groups of users or computers from active directory that will be granted access – if a user’s AD account is disabled, so is their ability to access the wireless network. We can also use group policy to push out the Wi-Fi settings, completely centralising all aspects of you wireless network deployment.
Before we get started, we will need a few bits and pieces:
- Windows 2008 domain
- Wireless access point (supporting RADIUS/WPA2-Enterprise)
In my examples, I’ll be using a CISCO WAP200.
- Laptop with Wi-Fi that is an Active Directory domain member
Installing the NPS and Certificate Services
Firstly, we will need to add the following roles onto a server, or servers to the domain (if you’ve already got servers running these, you don’t need to add them again):
- Active Directory Certificate Services
- Network Policy and Access Services
You can add roles by opening up ‘Server Manager’, selecting ‘roles’, then clicking on ‘add roles’ and following the wizard. The Certificate Services setup will ask you a few questions, if it’s your first time using the Certificate Services role, you’ll just want to select Enterprise & Root CA.
Once we have installed the roles, we will need to enrol our NPS server for a certificate from the server that is running our Certificate Services (CS). To do this, from the server running NPS, we need the Certificates MMC snap-in (Run mmc.exe > file > Add/Remove snap-ins > Certificates) – make sure you set the snap-in to manage certificates for the computer account on the local system. Once the certificates MMC is loaded, we can enrol for a new certificate by right clicking on the Certificates\Personal\Certificates folder, then selecting ‘Request new certificate’ – all being well, we should be able to click next, then tick ‘Active Directory Enrolment’ – we should then see a certificate issued to the server running NPS, issued by our CS.
In part 2 we will continue with our 802.1x wireless setup, by configuring our NPS role and access points.
Want to write for 4sysops? We are looking for new authors.