How to configure a Windows RADIUS server for 802.1X Wireless or Wired Connections

How to configure a Windows RADIUS server for 802.1X Wireless or Wired Connections

In this article I will show you how to configure a Windows Remote Authentication Dial-in User Service server for Wireless Networks. I will try to cover all aspects as we install and configure this service. When configuring a RADIUS server for user authentication, you'll have to configure all Access Points to forward authentication requests to the server. Using a RADIUS server within your enterprise network you highly increase the security level while providing a centralized management point for your wireless clients.
Before we can configure the RADIUS server we'll need to add the Network Policy and Access Server role to our Windows Server 2008 machine. In the Role Services section, select the Network Policy Server (NPS), click Next and then Install:




After the NPS server role is added, open the console, and navigate to the NPS Standard Configuration Page. From the drop down list select RADIUS server for 802.1X Wireless or Wired Connections and click on Configure 802.1X:




In the 802.1X Connection type page, select Secure Wireless Connections and press Next. If desired, you can add a custom Name in the bottom section of the page. The NPS server also supports secure Wired (Ethernet Connections) so remember that wired authentication and authorization can be used:




In the next section we'll have to Add our wireless AP (Access Point) that will function as a RADIUS client. In the New RADIUS Client box enter the Friendly name, IP or DNS name (FQDN) and the Shared Secret. The shared secret must be configured on all AP to allow them to authenticate with the RADIUS server. There are two options available: Manual or Generated shared secret:




Once the AP is configured, it will appear in the RADIUS clients section:




We'll need to configure an Authentication Method for our RADIUS clients. There are three options available in this section:
Smart Card or other certificate - this authentication method will require wireless clients to connect using smart card or certificate when authenticating with the RADIUS server.

Protected EAP (PEAP) - with this authentication method enabled, wireless clients and the RADIUS server will require a computer or user certificate installed on their local certificate store. On the RADIUS server you would need to import a computer certificate which has the CA (Certificate Authority) trusted by wireless clients. On RADIUS clients you would need to install either a computer or a user certificate and the server's CA must be trusted by all clients. Enterprises have usually implemented their own CA to support RADIUS authentication for wireless networks.

Secured Password (EAP-MSCHAP v2) - with this authentication method, all RADIUS servers must install a computer certificate who's CA is trusted by radius clients. The only difference between this method and the PEAP is that the clients authenticate using domain accounts.





In the Users Groups section you'll have to specify what domain groups will be allowed or denied access based on the network policy Access Permission settings. For this exercise I've added the Domain Users group:




In the Configure Traffic Controls page, you can configure VLANs and ACLs for controlling the network traffic. By pressing the Configure button, you can specify what additional control attributes are sent to clients:




Once the RADIUS server has been configured, you'll need to authorize it in Active Directory. Right click the NPS section and select Register server in Active Directory. This will enable NPS to authenticate in Active Directory and to be able to read the dial-in properties from objects within domain. The server will then be added to the RAS and IAS Servers group and will have the appropriate permissions set:




RADIUS authentication messages use the 1812 UDP port so make sure that the firewall rules are configured to support the transfer. Accounting messages use the 1813 UDP port.
Windows wireless clients can authenticate in three ways:
Computer only - using this method the computer will authenticate before the logon screen is displayed. This means that the computer can authenticate with AD before the user logs in.
User only - the wireless authentication will be made after the user is logged on. Basically, users cannot authenticate before the connection to the wireless network is made. Using this authentication method, your network devices may encounter problems when authenticating. To overcome this limitation, Windows devices support SSO (Single Sign On), a technology that allows users to authenticate before the logon process occurs.
Computer and user - the computer will authenticate using the computer credentials and once the user is logged, this information is also submitted.
To monitor RADIUS server performance you can check the Event Viewer console, check the RADIUS log file or enable trace logging (for advanced troubleshooting. When a RADIUS authentication is made, an event will be logged in the Event Viewer: Audit Success or Audit Failure. The Task Category of such events will be Network Policy Server. The RADIUS log file is located in C:\Windows\System32\LogFiles. Logging can also be configured with a database server for easier management:




To enable event tracing, open a command prompt and type in the following command:
netsh ras set tr * en




The event tracing log will be generated in C:\Windows\tracing\ISANAP.log