nps using microsoft windows 2008 server

7/29/2019 NPS Using Microsoft Windows 2008 Server

1/36

UsingWindows2008WithArubaControllersVersion1.0

TobiasRiceThiswillbeabasicsetupusingWindows2008Servertoallowdot1xauthwithan

Arubacontroller.Stepstohaveabasicinstallationinclude:

1. Renametheserver2. SettingserverasDomainController3. InstallingCertificateServices4. RequestCertificates(optional)5. InstallingNetworkPolicyServices(previouslyIAS)6. CreatingGroupPolicies

RenameTheServer

SomethingdifferentaboutWindows2008Serveristhattheservernameisauto

generatedandyouarenotgivenachanceduringtheinstalltonametheserverso

youmustdobeforeinstallingActiveDirectoryorCertificateServices.

IntheInitialConfigurationTaskswindow,clicktheProvidecomputernameand

domainlink.


2/36

EnteraComputerdescriptionandclicktheChangebuttontochangethe

computername.IllbeusingWLANDCasmynameanddescription.


3/36

EntertheComputernameandclickOKandrebootwhenprompted.

SettingServerasaDomainController

Forthisexamplewesetupanewforestforthewlan.netdomain.Server2008

abstractsmostserverfunctionintoRolessowellbeaddingtheActiveDirectory

DomainServicesRolewiththeServerManagerbyclickingRolesandclickingAdd

Roles.


4/36

SelecttheActiveDirectoryDomainServicesRole.


5/36

ClickthroughtheconfirmationscreensandclickInstall.Youshouldgetseean

installationprogressscreenandfinallyaninstallationsuccessmessagethatasks

youtorunthecommanddcpromo.exewhichwillconfigureyourdomain.Soclick

thelinktorundcpromoorclicktheStartbutton,selectRunandenter

dcpromo.exe.YoushouldnowseetheActiveDirectoryDomainServiceinstall

wizard.ClickNexttocontinue.


6/36

ChooseCreateanewdomaininanewforestandclickNext.


7/36

Forourexampledomainwellusewlan.net.ClickNextanditwillchecktoseeif

thenameisalreadyusedonthenetwork.


8/36

WhenaskedtosetwhichForestFunctionalLevelIusedthe2008level.


9/36

ThenextscreenyoullseeisawarningthattheDNSserviceisntinstallandwill

offertoinstallitforyou.JustclickNexttoacceptandinstall.


10/36

Itwilldisplaythefollowingwarning,justclickYestocontinue.


11/36

JustacceptthedefaultsandclickNext.

NowyoullbepromptedtoenteraDirectoryServicesRestoreModeAdministrator


12/36

Password.EnterapasswordandclickNext.


13/36

ClickNextattheSummaryscreen.

YoullnowseetheInstallationWizardinstallDNSandActiveDirectory.Checkthe

Rebootoncompletionboxandoncethewizardfinishesitllrebootandbeready


14/36

forthenextstep.

InstallingCertificateServices

ToenablePEAPorEAPTLSwellneedtoinstallCertificateServicestoenablea

CertificateAuthority(CA)togenerateandsigncertificatesforourdomain.Again,

addaRoleviatheServerManagerandselectActiveDirectoryCertificateServices


15/36

andclickNext.

ClickthroughtheconformationscreenandselectCertificationAuthorityand

CertificateAuthorityWebEnrollmentwhichwilltellyouthatyoullneedIIStobe

installedtousetheCertificateAuthorityWebEnrollment.ClickAddRequired


16/36

RoleServicesandclickNexttocontinue.


17/36

WhenpromptedforwhichtypeofCertificateAuthoritytoinstall,choose

Enterprise.


18/36

WhenpromptedforCAType,selectRootCAandclickNext.


19/36

WhenpromptedtoSetUpPrivateKeyselectCreateanewprivatekeyandclick

Next.


20/36

WhenpromptedtoConfigureCryptographyforCA,acceptthedefaultsandclick

Nextfortherestoftheconformationscreens.

RequestCertificates(optional)

NowthatwehaveourCertificateAuthority(CA)upandrunningwemaywantto

requestacertificateforourAuthenticationServer.

WellcreateaMicrosoftManagementConsole(MMC)thatwillallowustorequest

andinstallthecertificateforourserver.PresstheStartbuttonandenterMMCin

thecommandfieldtoopentheMMC.NextwelladdtheCertificate(ForLocal

Computer)snapinbyclickingFileandchoosingAdd/RemoveSnapin.Select


21/36

CertificatesandclickAdd.


22/36

NowbesuretoselectComputerAccountandclickNext.


23/36

ChooseLocalComputer,clickFinishandOK.

TIP:WhileyourehereyoumightaswelladdtheCertificateAuthoritysnapinand

savethisMMCtoyourdesktopbecauseyoullneeditagaininthefuture.

Torequestacertificateforyourserver(ifyoudontwanttousethedefaultcertificate)expandCertificates(LocalComputerAccount),Personal,andright

clickCertificatesandselectAllTasks,RequestNewCertificate


24/36

ClickthroughtheEnrollmentscreenschoosingthesettingsyoudesireforyour

certificate.


25/36

InstallingNetworkPolicyandAccessServices

InWindows2008ServeryoucannolongerjustinstalltheInternetAuthenticationService(IAS)andhaveRADIUSfunctionality.YoumustnowinstallNetworkPolicy

andAccessServices,whichnowincludeeverythingfromearlierversionsof

WindowsserversuchasRRAS/IAS/etc,butnowincludesNAP(thinkNACfor

Windows).WewillbeinstallingandconfiguringjustenoughtoenablePEAPand

RADIUSfunctionalitywithourArubacontroller.SoonceagainheadtotheServer

ManagerandAddaRoleselectingNetworkPolicyandAccessServicesandclick

throughtheconfirmationscreen.


26/36

SelectNetworkPolicyServer,RoutingandRemoteAccessServices,Remote

AccessServiceandRouting.ClickNext,clickthroughtheconfirmationscreen


27/36

andclickInstall.

Installationwilltakeacoupleofminutesandpresentyouwithaninstallsummery.

JustclickClose.

NowthatNPSisinstalled,presstheStartbuttonandenternps.mscinthe

commandfield.TheNPSMMCshouldopenupallowingyoutoselecttheRADIUS

serverfor802.1XWirelessorWiredConnectionsInstallationWizardfromthe


28/36

StandardConfigurationpulldownmenuandclickConfigure802.1X.


29/36

FromtheSelect802.1XConnectionsTypepage,selectSecureWireless

ConnectionsandclickNext.


30/36

FromtheSpecify802.1XSwitchesscreenclickAddandenterthesettingsfor

yourArubacontrollerandpressOK.

FortheConfigureanAuthenticationMethodscreenselectMicrosoftSmartCard

orothercertificateforEAPTLSorMicrosoftProtectedEAP(PEAP)forPEAP.I


31/36

willbeselectingPEAPforthisexampleandclickConfigure


32/36

Selecttheappropriatecertificatetouseforthisserver.Inthiscasewellusethe

WLANDC.wlan.netcertificateandclickOK.

FortheSpecifyUserGroupsscreenselecttheusersand/orgroupsyouwouldlike

toallowwirelessaccess.ForthisexampleIamallowingallofmydomainusersby

selectingtheDomainUsersgroup.IfIwanttoenforceMachineAuthenticationI

needtoaddtheDomainComputersgroupaswellascheckingtheEnforce

MachineAuthoptioninthedot1xpolicyonmyArubacontroller.ClickNextto

continue.

Note:GroupslistedhereareconsideredasanORstatement.


33/36


34/36

ForthenextscreenyoucanclickNextandFinishorclickConfiguretoadd

RADIUSattributesforServerDerivationrules.

Forexample,youmaywanttomaptheDomainUserstotheemployee_roleon

yourArubacontroller.YoucoulddothatherewiththeFilterIdattribute.


35/36

Note:ThereseemstobeabuginWindowsifyoumesswiththeseattributestoo

muchtheFilterIdattributevanishes.Ifthishappenscanceloutofthewizardand

startover.

PressNextandFinishtocompletethewizard.Thisshouldnowallowyouto

authenticateusersagainstyourWindows2008Server.Totestyourconfiguration,

sshtoyourArubacontrollerandconfigureittousethenewRADIUSserver.

(MC800)>en

Password:******

(MC800)#configureterminal

EnterConfigurationcommands,oneperline.EndwithCNTL/Z


36/36

(MC800)(config)#aaaauthenticationserverradiusnps

(MC800)(RADIUSServer"nps")#host10.1.0.236

(MC800)(RADIUSServer"nps")#enable

(MC800)(RADIUSServer"nps")#keyp@ssw0rd

(MC800)(RADIUSServer"nps")#nasidentifierArubaMaster

(MC800)(RADIUSServer"nps")#nasip10.1.0.250

Nowtesttoseeifeverythingisworkingproperly.

(MC800)#aaatestservermschapv2npstobiasqwerty12!@

Authenticationsuccessful

nps using microsoft windows 2008 server

Documents