AD 2008 NPS Radius WLC

Unanswered Question
Jun 29th, 2010

hello,

Does anyone know where I might find a document spacific to 2008 / NPS / WLC intergration?

thanks very much for your time,

greg

Message was edited by: GREGORY WHYNOTT

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
gwhynott Mon, 07/05/2010 - 10:10

figured it out.  little bit of clicking here and there...  works as expected.

-g

routerhand99 Wed, 03/23/2011 - 10:43

Good Work!  You were looking for that integration guide.  So, have you authored one

based on your experience?  Did you end up having to use PAP instead of something MS-CHAP?  Thanks.

iskoy.istem Sat, 01/14/2012 - 02:24

hi,

can you eloborate on your set-up. i am having the same deployment. it would be appreciated.

Scott Fella Sat, 01/14/2012 - 07:05

Joseph,

First, make sure that the NPS is on the domain and is registered to the domain.  If you have an internal CA, then when you added the server to the domain, it should of recieved a certificate.  This computer certificate will be used for EAP.

Now, what authentication method are you using?  PEAP will only require the certificate the NPS has and EAP-TLS will require the same certificate on the radius side along with certificates on each machine.

When creating a policy, the connection request poilcy is hit first then the network acces poilcy.  NPS does have a wizard to create a secure wireless policy if you want to give that a try to see how the wizard creates one.

routerhand99 Mon, 01/16/2012 - 14:20

There are some good NPS server installation guides on the net - follow all of the recommended best practices from Microsoft for security and maintenance. When you have a sound base system and the other required components to start this test procedure with a sound NPS server. Here is where the integration occurs between NPS and WLC;

Set the Auth and Acct ports

Set your NPS Server access ports by right-clicking the globe symbol of the NPS Server
Select properties, go to the properties tab and enter 1812 for auth and 1813 for accounting.

Next, Configure the RADIUS Client Settings  Remember that to NPS the WLC is a RADIUS Client (along with other NAS devices like APs, WLCs, etc.)

Configure the RADIUS Client Settings

Expand the options below the NPS Server globe icon

Add the WLC 5500 in the NPS server as a Radius Client

1. Right-click RADIUS the Client and Select New RADIUS Client
2. Enter Friendly Name and IP address of the Cisco WLC
3. Select RADIUS STANDARD as the RADIUS Vendor
4. Click the Manual radio button to enter the RADIUS key manually
5. Enter a strong RADIUS key (make sure you put it in your key pass keeper you will need to add the same shared key to the controller)
6. Check the Enable Client box
7. At the time of this writing the controller does not support the Message authenticator setting leave unchecked in advanced tab.
8. Click OK to close the new RADIUS Client configuration.

Configure a Connection Policy (This policy determines which network access server to send requests to)

9. Right Click the Network policy and Select New
10. Enter a Policy Name (e.g. Connection to Wireless)
11. Select Unspecified for the Type opf Network Access Server
12. Add a Condition – pick NAS port type Wireless - 802.11 Click OK.
13. Add another Condition - choose the group from the AD Domain to grant access (e.g. Domain/Wireless Users) Click OK.
14. Optional - Add another Condition - a Condition – Add Client IPV4 Address (this is the Controller's IP address) Click OK.
15. Click Next
16. Authenticate requests on this server.
17. Click Next
18. Do not override security here.
19. Click Next.
20. We won't be applying attributes here.
21. Click Next.
22. Finish.

Configure a Network Policy (This determines access)

23. Right Click on Network Policies and choose New.
Enter a Policy Name (e.g. Wireless ) 
24. Select a Windows group Domain/Wireless Users to be allowed access
25. Click Next.
25. Select Grant Access - Access is granted if Client attempts match the conditions of this policy.  Click Next.
26. Configure Authentication Methods
27. Click Add..Microsoft Protected EAP a methods box will be presented
28. You can also check v2 below if your organization security policy allows.
29. You can double-click Microsoft Protected EAP (PEAP) and pick the order - move secure password up.
30. In the same dialog window select the certificate used by NPS to identify itself to the client (your Windows 7 wireless client)

Note: Microsoft has lots of documentation about this so look there for group policy guidance and how to get it in your client's trusted root.

31. Click Next
32. You can add constraints such as time, etc. here.  Click Next
33. On the the Configure Settings dialog choose Encryption, Strongest Encryption. Click Next.
34. This tab is the IP settings tab and that depends on your network.  For now, choose Server settings determine IP. Click Next.


Add any further Constraints and Conditions after you get your tests working.

The WLC

There is a setup wizard on WLC..it will ask you to set up the RADIUS server.

To configure a RADIUS server now, enter yes and then enter the IP address, communication port, and
enter no. (Type yes, NPS IP: subnet: Gateway:

If already set up..

Configure Security and AAA Server in WLC 5500
1. Browse to the IP address of WLC.
2. Click Login and use your username and password credentials.
3. Choose Security > AAA > RADIUS > Authentication and then click on New to launch RADIUS server configuration page.
4. Choose the Server Index (the priority order of the RADIUS server). The controller tries Index 1 first, etc.
5. Enter RADIUS Server IP Address.
6. Shared Secret Format for now set to ASCII.
7. Enter the Shared Secret and Confirm the Shared Secret (Be sure to use the exact Shared Secret you used in NPS).
8. Click on Wireless. In the left hand pan click Authentication. You will see the IP address and port number 1812 of Radius Server.  You need to match the RADIUS Authentication port with the port you are using in NPS.  (Remember, you set that first on NPS above)
9. Click Accounting. Click New on right hand top corner. You will be presented with a window to add a server, use the same Shared Secret and Port 1813.
10. Apply changes.
11. To add another RADIUS server Choose SECURITY > AAA > RADIUS > Authentication and then click New to navigate to this page.
12. Click on the WLANs Tab >Click on a WLAN>Click on General Tab>Check Enable on Status and Check Enabled on broadcast SSID
13. Click on the Security Tab>Click Layer2 Tab>Select WPA+WPA2 from Layer2 security drop-down list>Check WPA policy and the same page, enable AES and in Auth Key Mgmt, select 802.1x. Now click the Apply button.
14. Click on AAA Servers>Select Authentication and Accounting server NPS. 
15. Ensure that Enable is checked for both Authentication and Accounting radio button. Click Apply.

Remember to think about the RADIUS process and your policies as you troubleshoot;

Likely gotchas;

The shared secrets are mismatched
The NPS Server certificate is not in the wireless client's trusted root (laptop)
You are evaluating user dial-in properties and don't mean to.
Your policies don't grant access or don't match.
Use the logs and the Microsoft Reason Codes.

Review appropriate Cisco WLC documentation http://www.cisco.com/en/US/partner/tech/tk722/tk809/technologies_configuration_example09186a0080782507.shtml

Finally, remember that this is a baseline test server to prove your wireless system works.  Before deploying you will want to look at other conditions and constraints for limiting access and authentication by building your security in layers. And you will want to test the system and run security audits.  Run the Best Practice Analyzer from Microsoft and consider adding Smart Cards or tokens to your installation.  http://technet.microsoft.com/en-us/library/ee922674(WS.10).aspx

Good luck.

routerhand99 Mon, 01/16/2012 - 10:19

I have this setup working in several installations.  I will prepare a guide and post it here and to Technet so the information is available from each side. The best way to understand the interaction of Client > WLC > RADIUS is to study how radius works and mock up a test lab first.  There is actually quite a lot that you can do with this setup once you get the infrastructure in place.  You can look for my earlier posts on getting around legacy LEAP for WDS in posts here and on Microsoft's sites here;

http://social.technet.microsoft.com/Forums/en-US/winservergen/thread/7c6d0ef2-67f1-48c0-8833-9fcf8a817c23

Look here for another post soon with a guide to one possible solution set.

iskoy.istem Tue, 01/17/2012 - 07:14

thanks bro for this guide. i'll feedback as soon as my test set-up is working. grateful for the help

Actions

This Discussion