Config Reference Guide

RADIUS and Active Directory

Configuration Reference Guide:
Enterasys Technical Training Lab Configuration for the following courses: NAC, Policy

February 2011

©2011 Enterasys Networks, Inc. All rights reserved - Enterasys Confidential

-1-
Server 2008 Active Directory / RADIUS

Lab Setup Procedure

I. Server Configuration

A. Initial Configuration

1. Install Operating System

2. Install windows updates
3. Rename the server before continuing to the DCPROMO wizard

B. DC PROMO Wizard

NOTE: DCPROMO is a Windows function to promote a member server into a domain controller
or to demote a domain controller to a member server in active directory.

1. Run the “dcpromo” command from the command line or via the run option. (See Figure
1)

Figure 1: Windows Server 2008 R2 DCPROMO wizard

©2011 Enterasys Networks, Inc. All rights reserved - Enterasys Confidential

-2-
2. Create a new domain in a new format. (See Figure 2)

Figure 2: Active Directory Services Install Wizard

3. Name the server with a fully qualified domain name (FQDN). Choose a unique name
that is available within your domain, or the wizard will provide one for you. This
example uses the domain: training.com

Figure 3: Active Directory Wizard / Fully Qualified Domain Name

©2011 Enterasys Networks, Inc. All rights reserved - Enterasys Confidential

-3-
Figure 4: Set Forest Functional Level

4. Continue with the wizard and add DNS as an additional option for this Domain
Controller. (See Figure 5.)

Figure 5: Adding DNS

5. Assign a static IP address to the server.

©2011 Enterasys Networks, Inc. All rights reserved - Enterasys Confidential

-4-
6. Choose the default location for the Database, Log Files and SYSVOL. (See Figure 6)

Figure 6: Default Location for Database

7. For the Directory Services Restore password, choose something that you can remember
easily.

NOTE: This password is different than the Domain Administrator password.

©2011 Enterasys Networks, Inc. All rights reserved - Enterasys Confidential

-5-
Figure 7: Active Directory Wizard Summary

8. Select “Next” at the Summary portion of the wizard.

9. Finish the Wizard. This will require a reboot of the server.

Figure 8: Completing the Active Directory Install Wizard

©2011 Enterasys Networks, Inc. All rights reserved - Enterasys Confidential

-6-
C. Adding Additional Features

1. To add new features to the server, access the Server Manager Snap-In.
a. See Figure 9.

Figure 9: Server Manager

2. Add the following features to the server, and select Next:

a. .NET Framework
b. Group Policy Management
c. Remote Server Administration Tools
i. Certification Authority Tools
ii. DHCP Server Tools
iii. Web Server (IIS) Tools
d. Telnet Client
e. Windows Process Activation Service

©2011 Enterasys Networks, Inc. All rights reserved - Enterasys Confidential

-7-
Figure 10: Server Features Wizard

Figure 11: Features Wizard / Adding IIS

©2011 Enterasys Networks, Inc. All rights reserved - Enterasys Confidential

-8-
3. Select the following Role Services that are associated with Web Server (IIS) to be
installed on the local server. (See Figure 12)

a. Common HTTP Features

i. Static Content
ii. Default Document
iii. Directory Browsing
iv. HTTP Errors

b. Application Development
i. ASP.NET
ii. .NET Extensibility
iii. ISAPI Extensions
iv. ISAPI Filters
c. Health and Diagnostics
i. HTTP Logging
ii. Logging Tools
iii. Request Monitor
iv. Tracing
d. Security
i. Basic Authentication
ii. Windows Authentication
iii. Digest Authentication
iv. Client Certificate Mapping Authentication
v. URL Authorization
vi. Request Filtering
vii. IP and Domain Restrictions
e. Performance
i. Static Content Compression
ii. Dynamic Content Compression
f. Management Tools
i. IIS Management Console
ii. IIS Management Scripts and Tools
iii. Management Service
g. IIS 6 Management Compatibility
i. IIS 6 Metabase Compatibility
h. FTP Server
i. FTP Service
ii. FTP Extensibility

©2011 Enterasys Networks, Inc. All rights reserved - Enterasys Confidential

-9-
Figure 12: Roles Services for IIS

4. Select “Next” and complete the install. The server will restart several times during the
process.

D. Adding Additional Roles

1. The server requires additional Roles to gain full functionality.

2. Access the Server Manager Snap-In, and choose Add Roles. This will start the
Add Roles Wizard. Before starting this wizard, verify that you have assigned a
static IP to the server.( See Figure 13)

©2011 Enterasys Networks, Inc. All rights reserved - Enterasys Confidential

- 10 -
Figure 13: Add Roles / Server Manager

3. Add the following Server Roles and select Next: ( See Figure 14)

a. Active Directory Certificate Services

b. Application Server
c. DHCP Server
d. Network Policy and Access Services

4. Select the Network Policy Server role service and select Next. (See Figure 15)

©2011 Enterasys Networks, Inc. All rights reserved - Enterasys Confidential

- 11 -
Figure 14: Add Roles Wizard

Figure 15: Select Role Services

5. DHCP Server Configuration: Select the network connection that the server will use for
servicing DHCP clients. Select Next. (See Figure 16)

Note: Be certain that the IP address has been statically assigned to the server.

©2011 Enterasys Networks, Inc. All rights reserved - Enterasys Confidential

- 12 -
Figure 16: Add Roles Wizard / DHCP Server

Figure 17: Validating DNS Server

©2011 Enterasys Networks, Inc. All rights reserved - Enterasys Confidential

- 13 -
6. The next step in the wizard is the IPv4 WINS Settings. WINS is not required for this
setup. Select “WINS is not required for applications on this network.” (See Figure 18)

Figure 18: WINS Server Settings

7. Edit DHCP Scopes: The following step of the wizard allows the Administrator to add
DHCP scopes. The DHCP server cannot distribute IP addresses to clients until a scope is
created. Figure 19 is an example of a DHCP scope.

NOTE: Be certain that any scopes added are routed throughout your lab network. For
certain setups, i.e. NAC, multiple DHCP scopes will be needed.

©2011 Enterasys Networks, Inc. All rights reserved - Enterasys Confidential

- 14 -
Figure 19: Adding DHCP Scope

8. Configure DHCPv6 Stateless Mode: For this procedure, Enable DHCPv6. Select Next and
keep the Default DNS IPv6 address settings. (See Figure 20)

Figure 20: IPv6 DNS settings

©2011 Enterasys Networks, Inc. All rights reserved - Enterasys Confidential

- 15 -
9. DHCP Server Authorization: For the following step select the “Use current credentials.”
These credentials will be used to authorize the DHCP server in AD DS.

10. Application Server : Verify that the following Role Services are selected. (See Figure 21)
a. .NET Framwork 3.5.1
b. Web Server (IIS) Support
c. HTTP Activation
d. TCP Activation

Figure 21: Application Server / Role Services

11. Active Directory Certificate Services: Select the following Role Services

a. Certification Authority
b. Certification Authority Web Enrollment
c. Certificate Enrollment Web Service (Note: This service cannot be installed at
this time)
d. Certificate Enrollment Policy Web Service

12. Setup Type

For the purpose of this standalone lab use the “Enterprise” option. Select next. (See
Figure 22)

©2011 Enterasys Networks, Inc. All rights reserved - Enterasys Confidential

- 16 -
Figure 22: Certificate Authority Type

13. Certificate Authority Type: For this setup select “Root CA.”

14. Set Up Private Key: Create a new private key. The new private key must be created
because this is a standalone setup. (See Figure 23)

Private Key Settings:

CSP: RSA# Microsoft Software Key Storage Provider
Key Character Length: 2048
Hash : SHA1

©2011 Enterasys Networks, Inc. All rights reserved - Enterasys Confidential

- 17 -
Figure 23: Cryptography Setup

15. Configure CA Name: Keep the default settings and select Next.

16. Validity Period: Keep the default settings of 5 years. Select Next.

17. Certificate Database: Keep the default settings. Select Next.

18. Authentication Type: Select “Windows Integrated Authentication”.

19. Server Authentication Certificate for SSL Encryption: Select “Choose an existing
certificate for SSL encryption (recommended). (See Figure 24) Then Select Next.

©2011 Enterasys Networks, Inc. All rights reserved - Enterasys Confidential

- 18 -
Figure 24: Server Authentication Certificate for SSL

E. Web Server (IIS)

1. Role Services, Select Next. All Role services have been installed that are needed.
2. Confirmation: The confirmation portion of the wizard will warn about changes
that cannot be undone regarding the Certificate Authority. Select “Install”.

F. Results

1. After running the Add Role Wizard you should receive the following screen: (See
Figure 25)

©2011 Enterasys Networks, Inc. All rights reserved - Enterasys Confidential

- 19 -
Figure 25: Results page of Add Roles Wizard

G. Active Directory Certificate Services Continued

1. As mentioned in Step D-11, the Certificate Enrollment Web Service could not be
installed earlier, which will be completed now.
2. Start the Add Role Services Wizard by Right Clicking the Active Directory Certificate
Services. (Refer to Figure 26)

©2011 Enterasys Networks, Inc. All rights reserved - Enterasys Confidential

- 20 -
Figure 26: Add Roles Services/ Active Directory

3. Choose the Certificate Enrollment Web Service, and select “Next.”

4. Next, use the default settings. (Refer to Figure 27)

Figure 27: Certificate Authority / Certificate Enrollment Services

II. Roles Configuration

A. Active Directory Domain Services

©2011 Enterasys Networks, Inc. All rights reserved - Enterasys Confidential

- 21 -
1. Creating a new group and user within Active Directory.

2. Right Click the domain in the Active Directory Tree, select New Group. For this instance
we will be creating new group and user within the training.com domain. ( See Figure 28)

Figure 28: Active Directory Configuration

3. Next create a new user using the same method as in Step 2 and fill in the desired fields.
User1 will be used for this example. (See Figure 29)

©2011 Enterasys Networks, Inc. All rights reserved - Enterasys Confidential

- 22 -
Figure 29: Create new user

4. Add the newly created User: user1 to the newly created Group: Test-Users.

5. Highlight the Users Folder in the Training.com tree, user1 will be listed in the column
directly to the right.

6. Right Click on user1 and select add to group…..

7. Select Groups window will appear, In the Enter Object Name window type: Test-Users
and click Check Names. This will query the list, and if the group is valid it will become
underlined. Select Ok. (See Figure 30)

©2011 Enterasys Networks, Inc. All rights reserved - Enterasys Confidential

- 23 -
Figure 30: Adding user to group

B. DHCP Server

1. Creating an IPv4 DHCP scope.

2. Access the Server Manager Snap-In as in Step A to access the DHCP menu tree.

3. Right Click on the IPv4 Icon, and select New Scope. This will start the New Scope
Wizard. (Refer to Figure 31)

©2011 Enterasys Networks, Inc. All rights reserved - Enterasys Confidential

- 24 -
Figure 31: New DHCP Scope

4. Continue with the Wizard, name the DHCP Scope and select next.

5. Select an IP range. For example (Refer to Figure 32)

Figure 32: DHCP Scope / IP Range

©2011 Enterasys Networks, Inc. All rights reserved - Enterasys Confidential

- 25 -
6. The next step describes the use of exclusions; for the purpose of this procedure the
following exclusion has been added. (Refer to Figure 33)

Figure 33: DCHP Exclusion

7. Keep the default settings for the Lease Duration, and select next.

8. Configure DHCP Options: Select “Yes” and configure the appropriate options for this
scope.

a. Router IP : 192.168.10.1
b. DNS server: 10.120.85.181

9. Continue with the wizard and activate the scope to complete the wizard.

C. DNS Server

1. Verify that there is a Host(A) record in the Forward Lookup Zones for the TEST-AD under
the training.com Zone. (Refer to Figure 34)

©2011 Enterasys Networks, Inc. All rights reserved - Enterasys Confidential

- 26 -
Figure 34: Forward Lookup Zones / Host (A) record

2. Create a Reverse Lookup Zone for the TEST-AD server.

3. Right Click on Reverse Lookup Zones in the DNS tree. This will start the New Zone
Wizard.

Figure 35: Reverse Lookup Zone Wizard

©2011 Enterasys Networks, Inc. All rights reserved - Enterasys Confidential

- 27 -
Figure 36: Primary Zone

4. Create a Primary Zone, and select next. (Refer to Figure 36)

5. Active Directory Zone Replication Scope, for this lab setup select “To all DNS servers
running on the domain: training.com”

6. Create an IPv4 Reverse Lookup Zone.

7. Create a Reverse Lookup Zone Name. (See Figure 37)

©2011 Enterasys Networks, Inc. All rights reserved - Enterasys Confidential

- 28 -
Figure 37: Reverse Lookup Zone Name

8. Dynamic Update: Allow only secure dynamic updates. This completes the Wizard.

9. The next step will be to add PTR records to the newly created Reverse Lookup Zone.

10. Right Click on the newly created Reverse Lookup Zone and select New Pointer (PTR).
(Refer to Figure 38)

Figure 38: New Pointer Record

©2011 Enterasys Networks, Inc. All rights reserved - Enterasys Confidential

- 29 -
11. The PTR will be created for the TEST-AD Server. The New Resource Record Window will
appear. Use the following Host Name: test-ad.training.com. Select OK.

12. Perform an NSLOOKUP to verify that DNS functioning correctly. (Refer to Figure 39)

Figure 39: NSLOOKUP

D. Network Policy and Access Services

Configure RADIUS Client:

1. Start, point to Administrative Tools, and then click Network Policy Server.

2. If the RADIUS server is a domain member, ensure it is registered in Active Directory. To

do this, right click the root node NPS(Local), and then click Register server in Active
Directory.

3. From the Internet Authentication Service management console, right-click the RADIUS
Clients folder, and then click New RADIUS Client. The New Radius Client Window will
appear. (See Figure 40)

©2011 Enterasys Networks, Inc. All rights reserved - Enterasys Confidential

- 30 -
Figure 40: RADIUS Client configuration

4. On the Name and Address page, in Friendly name. This procedure used: Lab Network.

5. In Client address (IP or DNS), enter the IP address of the adapter through which RADIUS
clients accesses the domain controller (usually the Internal adapter). Using an IP address
rather than a DNS name ensures that IAS does not need to resolve client names at start-
up.(recommended)

6. Click Next.

7. On the Advanced tab , in the Vendor Name, ensure that RADIUS Standard is selected. In
Shared secret, specify a password, and in Confirm shared secret, confirm the password.
This procedure used: mysecret

©2011 Enterasys Networks, Inc. All rights reserved - Enterasys Confidential

- 31 -
Configure Policies

8. Configure Policy to be used with the RADIUS client.

9. Create a new Network Policy, right click Network Policies and select new. This will
initiate the New Policy wizard.

10. Name the Policy. This procedure used: NAME

11. Specify Conditions: Select Add, then select Windows Groups. Add the Windows Group
that was created earlier “Test Users”

12. Specify Access Permissions: Select “ Access Granted”

13. Configure Authentication Methods: Select Add and select Microsoft Protected EAP
(PEAP) Select Edit and verify the Certificate Information. (Refer to Figure 41)

Figure 41: PEAP Properties

14. Configuration Restraints : Keep defaults, and select next.

15. Configure Settings: RADIUS Attributes

a. Select Add, select “Filter ID”

b. Add an attribute value: Enterasys:version=1:policy=Enterprise User (See Figure
42)

16. Select Next and then Finish.

©2011 Enterasys Networks, Inc. All rights reserved - Enterasys Confidential

- 32 -
Figure 42: RADIUS Attributes

©2011 Enterasys Networks, Inc. All rights reserved - Enterasys Confidential

- 33 -
 Version Date Author Changes
0.0.0 02/28/11 Andres Lara Initial Draft
0.0.1 3/10/2011 Andres Lara Reviewed and made formatting changes.

0.0.2
0.0.3
0.0.4

0.0.5

0.0.6

0.0.7

0.0.8

0.0.9

0.0.10

©2011 Enterasys Networks, Inc. All rights reserved - Enterasys Confidential

- 34 -
 Terms & Condition of Use:

Enterasys Networks, Inc. reserves all rights to its materials and the content of the materials. No
material provided by Enterasys Networks, Inc. to a Partner (or Customer, etc.) may be reproduced or
transmitted in any form or by any means, electronic or mechanical, including photocopying and
recording, or by any information storage or retrieval system, or incorporated into any other published
work, except for internal use by the Partner and except as may be expressly permitted in writing by
Enterasys Networks, Inc.

This document and the information contained herein are intended solely for informational use.
Enterasys Networks, Inc. makes no representations or warranties of any kind, whether expressed or
implied, with respect to this information and assumes no responsibility for its accuracy or
completeness. Enterasys Networks, Inc. hereby disclaims all liability and warranty for any information
contained herein and all the material and information herein exists to be used only on an "as is"
basis. More specific information may be available on request. By your review and/or use of the
information contained herein, you expressly release Enterasys from any and all liability related in any
way to this information. A copy of the text of this section is an uncontrolled copy, and may lack
important information or contain factual errors. All information herein is Copyright ©Enterasys
Networks, Inc. All rights reserved. All information contain in this document is subject to change
without notice.

For additional information refer to: http://www.enterasys.com/constants/terms-of-use.aspx

©2011 Enterasys Networks, Inc. All rights reserved - Enterasys Confidential

- 35 -