UsingWindows2008WithArubaControllersVersion1.0

TobiasRice

ThiswillbeabasicsetupusingWindows2008Servertoallowdot1xauthwithanArubacontroller.Stepstohaveabasicinstallationinclude:

1. Renametheserver2. SettingserverasDomainController3. InstallingCertificateServices4. RequestCertificates(optional)5. InstallingNetworkPolicyServices(previouslyIAS)6. CreatingGroupPolicies

RenameTheServerSomethingdifferentaboutWindows2008Serveristhattheservernameisauto‐generatedandyouarenotgivenachanceduringtheinstalltonametheserversoyoumustdobeforeinstallingActiveDirectoryorCertificateServices.

Inthe“InitialConfigurationTasks”window,clickthe“Providecomputernameanddomain”link.

EnteraComputerdescriptionandclickthe“Change…”buttontochangethecomputername.I’llbeusingWLAN‐DCasmynameanddescription.

EntertheComputernameandclick“OK”andrebootwhenprompted.

SettingServerasaDomainControllerForthisexamplewesetupanewforestforthewlan.netdomain.Server2008abstractsmostserverfunctioninto“Roles”sowe’llbeaddingtheActiveDirectoryDomainServicesRolewiththeServerManagerbyclicking“Roles”andclicking“AddRoles.”

SelecttheActiveDirectoryDomainServicesRole.

ClickthroughtheconfirmationscreensandclickInstall.Youshouldgetseeaninstallationprogressscreenandfinallyan“installationsuccess”messagethatasksyoutorunthecommand“dcpromo.exe”whichwillconfigureyourdomain.Soclickthelinktorun“dcpromo”orclickthe“Start”button,select“Run”andenter“dcpromo.exe”.Youshouldnowseethe“ActiveDirectoryDomainService”installwizard.Click“Next“tocontinue.

Choose“Createanewdomaininanewforest”andclick“Next”.

Forourexampledomainwe’lluse“wlan.net”.Click“Next”anditwillchecktoseeifthenameisalreadyusedonthenetwork.

Whenaskedtosetwhich“ForestFunctionalLevel”Iusedthe2008level.

Thenextscreenyou’llseeisawarningthattheDNSserviceisn’tinstallandwilloffertoinstallitforyou.Justclick“Next”toacceptandinstall.

Itwilldisplaythefollowingwarning,justclick“Yes”tocontinue.

Justacceptthedefaultsandclick“Next”.

Nowyou’llbepromptedtoentera“DirectoryServicesRestoreModeAdministrator

Password”.Enterapasswordandclick“Next”.

Click“Next”attheSummaryscreen.

You’llnowseetheInstallationWizardinstallDNSandActiveDirectory.Checkthe“Rebootoncompletion”boxandoncethewizardfinishesit’llrebootandbeready

forthenextstep.

InstallingCertificateServices

ToenablePEAPorEAP‐TLSwe’llneedtoinstallCertificateServicestoenableaCertificateAuthority(CA)togenerateandsigncertificatesforourdomain.Again,addaRoleviatheServerManagerandselect“ActiveDirectoryCertificateServices”

andclick“Next”.

Clickthroughtheconformationscreenandselect“CertificationAuthority”and“CertificateAuthorityWebEnrollment”whichwilltellyouthatyou’llneedIIStobeinstalledtousethe“CertificateAuthorityWebEnrollment”.Click“AddRequired

RoleServices”andclick“Next”tocontinue.

WhenpromptedforwhichtypeofCertificateAuthoritytoinstall,choose“Enterprise”.

WhenpromptedforCAType,select“RootCA”andclick“Next”.

WhenpromptedtoSetUpPrivateKeyselect“Createanewprivatekey”andclick“Next”.

WhenpromptedtoConfigureCryptographyforCA,acceptthedefaultsandclick“Next”fortherestoftheconformationscreens.

RequestCertificates(optional)

NowthatwehaveourCertificateAuthority(CA)upandrunningwemaywanttorequestacertificateforourAuthenticationServer.

We’llcreateaMicrosoftManagementConsole(MMC)thatwillallowustorequestandinstallthecertificateforourserver.Pressthe“Start”buttonandenter“MMC”inthecommandfieldtoopentheMMC.Nextwe’lladdtheCertificate(ForLocalComputer)snap‐inbyclicking“File”andchoosing“Add/RemoveSnap‐in”.Select

“Certificates”andclick“Add”.

Nowbesuretoselect“ComputerAccount”andclick“Next”.

Choose“LocalComputer”,click“Finish”and“OK”.

TIP:Whileyou’rehereyoumightaswelladdthe“CertificateAuthority”snap‐inandsavethisMMCtoyourdesktopbecauseyou’llneeditagaininthefuture.

Torequestacertificateforyourserver(ifyoudon’twanttousethedefaultcertificate)expand“Certificates(LocalComputerAccount)”,“Personal”,andright‐click“Certificates”andselect“AllTasks”,“RequestNewCertificate…”

ClickthroughtheEnrollmentscreenschoosingthesettingsyoudesireforyourcertificate.

InstallingNetworkPolicyandAccessServices

InWindows2008ServeryoucannolongerjustinstalltheInternetAuthenticationService(IAS)andhaveRADIUSfunctionality.YoumustnowinstallNetworkPolicyandAccessServices,whichnowincludeeverythingfromearlierversionsofWindowsserversuchasRRAS/IAS/etc,…butnowincludesNAP(thinkNACforWindows).WewillbeinstallingandconfiguringjustenoughtoenablePEAPandRADIUSfunctionalitywithourArubacontroller.SoonceagainheadtotheServerManagerand“AddaRole”selecting“NetworkPolicyandAccessServices”andclickthroughtheconfirmationscreen.

Select“NetworkPolicyServer”,“RoutingandRemoteAccessServices”,“RemoteAccessService”and“Routing”.Click“Next”,clickthroughtheconfirmationscreen

andclick“Install”.

Installationwilltakeacoupleofminutesandpresentyouwithaninstallsummery.Justclick“Close”.

NowthatNPSisinstalled,pressthe“Start”buttonandenter“nps.msc”inthecommandfield.TheNPSMMCshouldopenupallowingyoutoselectthe“RADIUSserverfor802.1XWirelessorWiredConnections”InstallationWizardfromthe

“StandardConfiguration”pull‐downmenuandclick“Configure802.1X”.

Fromthe“Select802.1XConnectionsType”page,select“SecureWirelessConnections”andclick“Next”.

Fromthe“Specify802.1XSwitches”screenclick“Add…”andenterthesettingsforyourArubacontrollerandpress“OK”.

Forthe“ConfigureanAuthenticationMethod”screenselect“MicrosoftSmartCardorothercertificate”forEAP‐TLSor“MicrosoftProtectedEAP(PEAP)”forPEAP.I

willbeselectingPEAPforthisexampleandclick“Configure…”

Selecttheappropriatecertificatetouseforthisserver.Inthiscasewe’llusethe“WLAN‐DC.wlan.net”certificateandclick“OK”.

Forthe“SpecifyUserGroups”screenselecttheusersand/orgroupsyouwouldliketoallowwirelessaccess.ForthisexampleIamallowingallofmydomainusersbyselectingthe“DomainUsers”group.IfIwanttoenforceMachineAuthenticationIneedtoaddthe“DomainComputers”groupaswellascheckingthe“EnforceMachineAuth”optioninthedot1xpolicyonmyArubacontroller.Click“Next”tocontinue.

Note:GroupslistedhereareconsideredasanORstatement.

Forthenextscreenyoucanclick“Next”and“Finish”orclick“Configure…”toaddRADIUSattributesforServerDerivationrules.

Forexample,youmaywanttomapthe“DomainUsers”tothe“employee_role”onyourArubacontroller.Youcoulddothatherewiththe“Filter‐Id”attribute.

Note:ThereseemstobeabuginWindowsifyoumesswiththeseattributestoomuchthe“Filter‐Id”attributevanishes.Ifthishappenscanceloutofthewizardandstartover.

Press“Next”and“Finish”tocompletethewizard.ThisshouldnowallowyoutoauthenticateusersagainstyourWindows2008Server.Totestyourconfiguration,sshtoyourArubacontrollerandconfigureittousethenewRADIUSserver.

(MC800)>en

Password:******

(MC800)#configureterminal

EnterConfigurationcommands,oneperline.EndwithCNTL/Z

(MC800)(config)#aaaauthentication‐serverradiusnps

(MC800)(RADIUSServer"nps")#host10.1.0.236

(MC800)(RADIUSServer"nps")#enable

(MC800)(RADIUSServer"nps")#keyp@ssw0rd

(MC800)(RADIUSServer"nps")#nas‐identifierAruba‐Master

(MC800)(RADIUSServer"nps")#nas‐ip10.1.0.250

Nowtesttoseeifeverythingisworkingproperly.(MC800)#aaatest‐servermschapv2npstobiasqwerty12!@

Authenticationsuccessful