Professional Documents
Culture Documents
Enterasys Technical Training - RADIUS and AD Setup Parameters Guide
Enterasys Technical Training - RADIUS and AD Setup Parameters Guide
February 2011
I. Server Configuration
A. Initial Configuration
B. DC PROMO Wizard
NOTE: DCPROMO is a Windows function to promote a member server into a domain controller
or to demote a domain controller to a member server in active directory.
1. Run the “dcpromo” command from the command line or via the run option. (See Figure
1)
3. Name the server with a fully qualified domain name (FQDN). Choose a unique name
that is available within your domain, or the wizard will provide one for you. This
example uses the domain: training.com
4. Continue with the wizard and add DNS as an additional option for this Domain
Controller. (See Figure 5.)
7. For the Directory Services Restore password, choose something that you can remember
easily.
1. To add new features to the server, access the Server Manager Snap-In.
a. See Figure 9.
a. .NET Framework
b. Group Policy Management
c. Remote Server Administration Tools
i. Certification Authority Tools
ii. DHCP Server Tools
iii. Web Server (IIS) Tools
d. Telnet Client
e. Windows Process Activation Service
b. Application Development
i. ASP.NET
ii. .NET Extensibility
iii. ISAPI Extensions
iv. ISAPI Filters
c. Health and Diagnostics
i. HTTP Logging
ii. Logging Tools
iii. Request Monitor
iv. Tracing
d. Security
i. Basic Authentication
ii. Windows Authentication
iii. Digest Authentication
iv. Client Certificate Mapping Authentication
v. URL Authorization
vi. Request Filtering
vii. IP and Domain Restrictions
e. Performance
i. Static Content Compression
ii. Dynamic Content Compression
f. Management Tools
i. IIS Management Console
ii. IIS Management Scripts and Tools
iii. Management Service
g. IIS 6 Management Compatibility
i. IIS 6 Metabase Compatibility
h. FTP Server
i. FTP Service
ii. FTP Extensibility
4. Select “Next” and complete the install. The server will restart several times during the
process.
3. Add the following Server Roles and select Next: ( See Figure 14)
4. Select the Network Policy Server role service and select Next. (See Figure 15)
5. DHCP Server Configuration: Select the network connection that the server will use for
servicing DHCP clients. Select Next. (See Figure 16)
Note: Be certain that the IP address has been statically assigned to the server.
7. Edit DHCP Scopes: The following step of the wizard allows the Administrator to add
DHCP scopes. The DHCP server cannot distribute IP addresses to clients until a scope is
created. Figure 19 is an example of a DHCP scope.
NOTE: Be certain that any scopes added are routed throughout your lab network. For
certain setups, i.e. NAC, multiple DHCP scopes will be needed.
8. Configure DHCPv6 Stateless Mode: For this procedure, Enable DHCPv6. Select Next and
keep the Default DNS IPv6 address settings. (See Figure 20)
10. Application Server : Verify that the following Role Services are selected. (See Figure 21)
a. .NET Framwork 3.5.1
b. Web Server (IIS) Support
c. HTTP Activation
d. TCP Activation
11. Active Directory Certificate Services: Select the following Role Services
a. Certification Authority
b. Certification Authority Web Enrollment
c. Certificate Enrollment Web Service (Note: This service cannot be installed at
this time)
d. Certificate Enrollment Policy Web Service
For the purpose of this standalone lab use the “Enterprise” option. Select next. (See
Figure 22)
13. Certificate Authority Type: For this setup select “Root CA.”
14. Set Up Private Key: Create a new private key. The new private key must be created
because this is a standalone setup. (See Figure 23)
15. Configure CA Name: Keep the default settings and select Next.
16. Validity Period: Keep the default settings of 5 years. Select Next.
19. Server Authentication Certificate for SSL Encryption: Select “Choose an existing
certificate for SSL encryption (recommended). (See Figure 24) Then Select Next.
1. Role Services, Select Next. All Role services have been installed that are needed.
2. Confirmation: The confirmation portion of the wizard will warn about changes
that cannot be undone regarding the Certificate Authority. Select “Install”.
F. Results
1. After running the Add Role Wizard you should receive the following screen: (See
Figure 25)
1. As mentioned in Step D-11, the Certificate Enrollment Web Service could not be
installed earlier, which will be completed now.
2. Start the Add Role Services Wizard by Right Clicking the Active Directory Certificate
Services. (Refer to Figure 26)
2. Right Click the domain in the Active Directory Tree, select New Group. For this instance
we will be creating new group and user within the training.com domain. ( See Figure 28)
3. Next create a new user using the same method as in Step 2 and fill in the desired fields.
User1 will be used for this example. (See Figure 29)
4. Add the newly created User: user1 to the newly created Group: Test-Users.
5. Highlight the Users Folder in the Training.com tree, user1 will be listed in the column
directly to the right.
7. Select Groups window will appear, In the Enter Object Name window type: Test-Users
and click Check Names. This will query the list, and if the group is valid it will become
underlined. Select Ok. (See Figure 30)
B. DHCP Server
2. Access the Server Manager Snap-In as in Step A to access the DHCP menu tree.
3. Right Click on the IPv4 Icon, and select New Scope. This will start the New Scope
Wizard. (Refer to Figure 31)
4. Continue with the Wizard, name the DHCP Scope and select next.
7. Keep the default settings for the Lease Duration, and select next.
8. Configure DHCP Options: Select “Yes” and configure the appropriate options for this
scope.
a. Router IP : 192.168.10.1
b. DNS server: 10.120.85.181
9. Continue with the wizard and activate the scope to complete the wizard.
C. DNS Server
1. Verify that there is a Host(A) record in the Forward Lookup Zones for the TEST-AD under
the training.com Zone. (Refer to Figure 34)
3. Right Click on Reverse Lookup Zones in the DNS tree. This will start the New Zone
Wizard.
5. Active Directory Zone Replication Scope, for this lab setup select “To all DNS servers
running on the domain: training.com”
8. Dynamic Update: Allow only secure dynamic updates. This completes the Wizard.
9. The next step will be to add PTR records to the newly created Reverse Lookup Zone.
10. Right Click on the newly created Reverse Lookup Zone and select New Pointer (PTR).
(Refer to Figure 38)
12. Perform an NSLOOKUP to verify that DNS functioning correctly. (Refer to Figure 39)
1. Start, point to Administrative Tools, and then click Network Policy Server.
3. From the Internet Authentication Service management console, right-click the RADIUS
Clients folder, and then click New RADIUS Client. The New Radius Client Window will
appear. (See Figure 40)
4. On the Name and Address page, in Friendly name. This procedure used: Lab Network.
5. In Client address (IP or DNS), enter the IP address of the adapter through which RADIUS
clients accesses the domain controller (usually the Internal adapter). Using an IP address
rather than a DNS name ensures that IAS does not need to resolve client names at start-
up.(recommended)
6. Click Next.
7. On the Advanced tab , in the Vendor Name, ensure that RADIUS Standard is selected. In
Shared secret, specify a password, and in Confirm shared secret, confirm the password.
This procedure used: mysecret
9. Create a new Network Policy, right click Network Policies and select new. This will
initiate the New Policy wizard.
11. Specify Conditions: Select Add, then select Windows Groups. Add the Windows Group
that was created earlier “Test Users”
13. Configure Authentication Methods: Select Add and select Microsoft Protected EAP
(PEAP) Select Edit and verify the Certificate Information. (Refer to Figure 41)
0.0.2
0.0.3
0.0.4
0.0.5
0.0.6
0.0.7
0.0.8
0.0.9
0.0.10
Enterasys Networks, Inc. reserves all rights to its materials and the content of the materials. No
material provided by Enterasys Networks, Inc. to a Partner (or Customer, etc.) may be reproduced or
transmitted in any form or by any means, electronic or mechanical, including photocopying and
recording, or by any information storage or retrieval system, or incorporated into any other published
work, except for internal use by the Partner and except as may be expressly permitted in writing by
Enterasys Networks, Inc.
This document and the information contained herein are intended solely for informational use.
Enterasys Networks, Inc. makes no representations or warranties of any kind, whether expressed or
implied, with respect to this information and assumes no responsibility for its accuracy or
completeness. Enterasys Networks, Inc. hereby disclaims all liability and warranty for any information
contained herein and all the material and information herein exists to be used only on an "as is"
basis. More specific information may be available on request. By your review and/or use of the
information contained herein, you expressly release Enterasys from any and all liability related in any
way to this information. A copy of the text of this section is an uncontrolled copy, and may lack
important information or contain factual errors. All information herein is Copyright ©Enterasys
Networks, Inc. All rights reserved. All information contain in this document is subject to change
without notice.