Professional Documents
Culture Documents
NPS Using Microsoft Windows 2008 Server
NPS Using Microsoft Windows 2008 Server
Version1.0 TobiasRice ThiswillbeabasicsetupusingWindows2008Servertoallowdot1xauthwithan Arubacontroller.Stepstohaveabasicinstallationinclude: 1. 2. 3. 4. 5. 6. Renametheserver SettingserverasDomainController InstallingCertificateServices RequestCertificates(optional) InstallingNetworkPolicyServices(previouslyIAS) CreatingGroupPolicies
RenameTheServer
SomethingdifferentaboutWindows2008Serveristhattheservernameisauto generatedandyouarenotgivenachanceduringtheinstalltonametheserverso youmustdobeforeinstallingActiveDirectoryorCertificateServices. IntheInitialConfigurationTaskswindow,clicktheProvidecomputernameand domainlink.
EnteraComputerdescriptionandclicktheChangebuttontochangethe computername.IllbeusingWLANDCasmynameanddescription.
EntertheComputernameandclickOKandrebootwhenprompted.
SettingServerasaDomainController
Forthisexamplewesetupanewforestforthewlan.netdomain.Server2008 abstractsmostserverfunctionintoRolessowellbeaddingtheActiveDirectory DomainServicesRolewiththeServerManagerbyclickingRolesandclickingAdd Roles.
SelecttheActiveDirectoryDomainServicesRole.
ChooseCreateanewdomaininanewforestandclickNext.
Forourexampledomainwellusewlan.net.ClickNextanditwillchecktoseeif thenameisalreadyusedonthenetwork.
WhenaskedtosetwhichForestFunctionalLevelIusedthe2008level.
ThenextscreenyoullseeisawarningthattheDNSserviceisntinstallandwill offertoinstallitforyou.JustclickNexttoacceptandinstall.
Itwilldisplaythefollowingwarning,justclickYestocontinue.
JustacceptthedefaultsandclickNext.
NowyoullbepromptedtoenteraDirectoryServicesRestoreModeAdministrator
Password.EnterapasswordandclickNext.
ClickNextattheSummaryscreen.
YoullnowseetheInstallationWizardinstallDNSandActiveDirectory.Checkthe Rebootoncompletionboxandoncethewizardfinishesitllrebootandbeready
forthenextstep.
InstallingCertificateServices
andclickNext.
RoleServicesandclickNexttocontinue.
WhenpromptedforwhichtypeofCertificateAuthoritytoinstall,choose Enterprise.
WhenpromptedforCAType,selectRootCAandclickNext.
WhenpromptedtoSetUpPrivateKeyselectCreateanewprivatekeyandclick Next.
WhenpromptedtoConfigureCryptographyforCA,acceptthedefaultsandclick Nextfortherestoftheconformationscreens.
RequestCertificates(optional)
NowthatwehaveourCertificateAuthority(CA)upandrunningwemaywantto requestacertificateforourAuthenticationServer. WellcreateaMicrosoftManagementConsole(MMC)thatwillallowustorequest andinstallthecertificateforourserver.PresstheStartbuttonandenterMMCin thecommandfieldtoopentheMMC.NextwelladdtheCertificate(ForLocal Computer)snapinbyclickingFileandchoosingAdd/RemoveSnapin.Select
CertificatesandclickAdd.
NowbesuretoselectComputerAccountandclickNext.
ChooseLocalComputer,clickFinishandOK.
ClickthroughtheEnrollmentscreenschoosingthesettingsyoudesireforyour certificate.
InstallingNetworkPolicyandAccessServices
InWindows2008ServeryoucannolongerjustinstalltheInternetAuthentication Service(IAS)andhaveRADIUSfunctionality.YoumustnowinstallNetworkPolicy andAccessServices,whichnowincludeeverythingfromearlierversionsof WindowsserversuchasRRAS/IAS/etc,butnowincludesNAP(thinkNACfor Windows).WewillbeinstallingandconfiguringjustenoughtoenablePEAPand RADIUSfunctionalitywithourArubacontroller.SoonceagainheadtotheServer ManagerandAddaRoleselectingNetworkPolicyandAccessServicesandclick throughtheconfirmationscreen.
SelectNetworkPolicyServer,RoutingandRemoteAccessServices,Remote AccessServiceandRouting.ClickNext,clickthroughtheconfirmationscreen
andclickInstall.
StandardConfigurationpulldownmenuandclickConfigure802.1X.
FromtheSelect802.1XConnectionsTypepage,selectSecureWireless ConnectionsandclickNext.
FromtheSpecify802.1XSwitchesscreenclickAddandenterthesettingsfor yourArubacontrollerandpressOK.
FortheConfigureanAuthenticationMethodscreenselectMicrosoftSmartCard orothercertificateforEAPTLSorMicrosoftProtectedEAP(PEAP)forPEAP.I
willbeselectingPEAPforthisexampleandclickConfigure
Selecttheappropriatecertificatetouseforthisserver.Inthiscasewellusethe WLANDC.wlan.netcertificateandclickOK.
ForthenextscreenyoucanclickNextandFinishorclickConfiguretoadd RADIUSattributesforServerDerivationrules.
Forexample,youmaywanttomaptheDomainUserstotheemployee_roleon yourArubacontroller.YoucoulddothatherewiththeFilterIdattribute.
Note:ThereseemstobeabuginWindowsifyoumesswiththeseattributestoo muchtheFilterIdattributevanishes.Ifthishappenscanceloutofthewizardand startover. PressNextandFinishtocompletethewizard.Thisshouldnowallowyouto authenticateusersagainstyourWindows2008Server.Totestyourconfiguration, sshtoyourArubacontrollerandconfigureittousethenewRADIUSserver. (MC800)>en Password:****** (MC800)#configureterminal EnterConfigurationcommands,oneperline.EndwithCNTL/Z
Nowtesttoseeifeverythingisworkingproperly.
Authenticationsuccessful
(MC800)#aaatestservermschapv2npstobiasqwerty12!@