How to configure a Windows RADIUS server for 802.1X Wireless or Wired Connections
2015-02-27 11:16
711 查看
How to configure a Windows RADIUS server for 802.1X Wireless or Wired Connections
Before we can configure the RADIUS server we'll need to add the Network Policy and Access Server role to our Windows Server 2008 machine. In the Role Services section, select the Network Policy Server (NPS), click Next and then Install:
After the NPS server role is added, open the console, and navigate to the NPS Standard Configuration Page. From the drop down list select RADIUS server for 802.1X Wireless or Wired Connections and click on Configure 802.1X:
In the 802.1X Connection type page, select Secure Wireless Connections and press Next. If desired, you can add a custom Name in the bottom section of the page. The NPS server also supports secure Wired (Ethernet Connections) so remember that wired authentication and authorization can be used:
In the next section we'll have to Add our wireless AP (Access Point) that will function as a RADIUS client. In the New RADIUS Client box enter the Friendly name, IP or DNS name (FQDN) and the Shared Secret. The shared secret must be configured on all AP to allow them to authenticate with the RADIUS server. There are two options available: Manual or Generated shared secret:
Once the AP is configured, it will appear in the RADIUS clients section:
We'll need to configure an Authentication Method for our RADIUS clients. There are three options available in this section:
Smart Card or other certificate - this authentication method will require wireless clients to connect using smart card or certificate when authenticating with the RADIUS server.
Protected EAP (PEAP) - with this authentication method enabled, wireless clients and the RADIUS server will require a computer or user certificate installed on their local certificate store. On the RADIUS server you would need to import a computer certificate which has the CA (Certificate Authority) trusted by wireless clients. On RADIUS clients you would need to install either a computer or a user certificate and the server's CA must be trusted by all clients. Enterprises have usually implemented their own CA to support RADIUS authentication for wireless networks.
Secured Password (EAP-MSCHAP v2) - with this authentication method, all RADIUS servers must install a computer certificate who's CA is trusted by radius clients. The only difference between this method and the PEAP is that the clients authenticate using domain accounts.
In the Users Groups section you'll have to specify what domain groups will be allowed or denied access based on the network policy Access Permission settings. For this exercise I've added the Domain Users group:
In the Configure Traffic Controls page, you can configure VLANs and ACLs for controlling the network traffic. By pressing the Configure button, you can specify what additional control attributes are sent to clients:
Once the RADIUS server has been configured, you'll need to authorize it in Active Directory. Right click the NPS section and select Register server in Active Directory. This will enable NPS to authenticate in Active Directory and to be able to read the dial-in properties from objects within domain. The server will then be added to the RAS and IAS Servers group and will have the appropriate permissions set:
RADIUS authentication messages use the 1812 UDP port so make sure that the firewall rules are configured to support the transfer. Accounting messages use the 1813 UDP port.
Windows wireless clients can authenticate in three ways:
Computer only - using this method the computer will authenticate before the logon screen is displayed. This means that the computer can authenticate with AD before the user logs in.
User only - the wireless authentication will be made after the user is logged on. Basically, users cannot authenticate before the connection to the wireless network is made. Using this authentication method, your network devices may encounter problems when authenticating. To overcome this limitation, Windows devices support SSO (Single Sign On), a technology that allows users to authenticate before the logon process occurs.
Computer and user - the computer will authenticate using the computer credentials and once the user is logged, this information is also submitted.
To monitor RADIUS server performance you can check the Event Viewer console, check the RADIUS log file or enable trace logging (for advanced troubleshooting. When a RADIUS authentication is made, an event will be logged in the Event Viewer: Audit Success or Audit Failure. The Task Category of such events will be Network Policy Server. The RADIUS log file is located in C:\Windows\System32\LogFiles. Logging can also be configured with a database server for easier management:
To enable event tracing, open a command prompt and type in the following command:
netsh ras set tr * en
The event tracing log will be generated in C:\Windows\tracing\ISANAP.log
相关文章推荐
- How to Configure a Relay Connector for Exchange Server 2010
- how to create a git server for windows
- How To Set a NLS Session Parameter At Database Or Schema Level For All Connections?
- Linux: How to Configure the DNS Server for 11gR2 SCAN (Doc ID 1107295.1)
- How do I configure vncserver to start GNOME or KDE by default in Red Hat Enterprise Linux ?
- 如何解决sql server2005的“不允许远程连接”错误.(how to resolve the error: "SQL Server does not allow remote connections" for SQL Server2005)
- How to use ASMCA in silent mode to configure ASM for a stand-alone server [ID 1068788.1]
- How to check port number is open for a windows server
- how to run 2 or more commands in a shell script [for Linux & Windows]
- How to debug Web Services or .Net Remoting Components hosted in IIS in Windows 2003 Server
- Windows - "Multiple connections to a server or shared resource by the same user..."
- How To Configure Client Failover For Dataguard Connections Using Database Services (Doc ID 1429223.1
- How to remove administrative shares in Windows Server 2008 or 2012
- MS SQL错误:SQL Server failed with error code 0xc0000000 to spawn a thread to process a new login or connection. Check the SQL Server error log and the Windows event logs for information about possible related problems
- How to Enable Plain Text Password on Windows for Connecting to Samba Server
- How to boot native VHD for Windows Server 2012 R2 preview on UEFI 推荐
- Linux: How to Configure the DNS Server for 11gR2 SCAN [ID 1107295.1]
- How to Cheat at Designing Security for a Windows Server 2003 Network