Good Work! You were looking for that integration guide. So, have you authored one
based on your experience? Did you end up having to use PAP instead of something MS-CHAP? Thanks.
First, make sure that the NPS is on the domain and is registered to the domain. If you have an internal CA, then when you added the server to the domain, it should of recieved a certificate. This computer certificate will be used for EAP.
Now, what authentication method are you using? PEAP will only require the certificate the NPS has and EAP-TLS will require the same certificate on the radius side along with certificates on each machine.
When creating a policy, the connection request poilcy is hit first then the network acces poilcy. NPS does have a wizard to create a secure wireless policy if you want to give that a try to see how the wizard creates one.
There are some good NPS server installation guides on the net - follow all of the recommended best practices from Microsoft for security and maintenance. When you have a sound base system and the other required components to start this test procedure with a sound NPS server. Here is where the integration occurs between NPS and WLC;
Set the Auth and Acct ports
Set your NPS Server access ports by right-clicking the globe symbol of the NPS Server
Select properties, go to the properties tab and enter 1812 for auth and 1813 for accounting.
Next, Configure the RADIUS Client Settings Remember that to NPS the WLC is a RADIUS Client (along with other NAS devices like APs, WLCs, etc.)
Configure the RADIUS Client Settings
Expand the options below the NPS Server globe icon
Add the WLC 5500 in the NPS server as a Radius Client
1. Right-click RADIUS the Client and Select New RADIUS Client
2. Enter Friendly Name and IP address of the Cisco WLC
3. Select RADIUS STANDARD as the RADIUS Vendor
4. Click the Manual radio button to enter the RADIUS key manually
5. Enter a strong RADIUS key (make sure you put it in your key pass keeper you will need to add the same shared key to the controller)
6. Check the Enable Client box
7. At the time of this writing the controller does not support the Message authenticator setting leave unchecked in advanced tab.
8. Click OK to close the new RADIUS Client configuration.
Configure a Connection Policy (This policy determines which network access server to send requests to)
9. Right Click the Network policy and Select New
10. Enter a Policy Name (e.g. Connection to Wireless)
11. Select Unspecified for the Type opf Network Access Server
12. Add a Condition – pick NAS port type Wireless - 802.11 Click OK.
13. Add another Condition - choose the group from the AD Domain to grant access (e.g. Domain/Wireless Users) Click OK.
14. Optional - Add another Condition - a Condition – Add Client IPV4 Address (this is the Controller's IP address) Click OK.
15. Click Next
16. Authenticate requests on this server.
17. Click Next
18. Do not override security here.
19. Click Next.
20. We won't be applying attributes here.
21. Click Next.
Configure a Network Policy (This determines access)
23. Right Click on Network Policies and choose New.
Enter a Policy Name (e.g. Wireless
24. Select a Windows group Domain/Wireless Users to be allowed access
25. Click Next.
25. Select Grant Access - Access is granted if Client attempts match the conditions of this policy. Click Next.
26. Configure Authentication Methods
27. Click Add..Microsoft Protected EAP a methods box will be presented
28. You can also check v2 below if your organization security policy allows.
29. You can double-click Microsoft Protected EAP (PEAP) and pick the order - move secure password up.
30. In the same dialog window select the certificate used by NPS to identify itself to the client (your Windows 7 wireless client)
Note: Microsoft has lots of documentation about this so look there for group policy guidance and how to get it in your client's trusted root.
31. Click Next
32. You can add constraints such as time, etc. here. Click Next
33. On the the Configure Settings dialog choose Encryption, Strongest Encryption. Click Next.
34. This tab is the IP settings tab and that depends on your network. For now, choose Server settings determine IP. Click Next.
Add any further Constraints and Conditions after you get your tests working.
There is a setup wizard on WLC..it will ask you to set up the RADIUS server.
To configure a RADIUS server now, enter yes and then enter the IP address, communication port, and
enter no. (Type yes, NPS IP:
If already set up..
Configure Security and AAA Server in WLC 5500
1. Browse to the IP address of WLC.
2. Click Login and use your username and password credentials.
3. Choose Security > AAA > RADIUS > Authentication and then click on New to launch RADIUS server configuration page.
4. Choose the Server Index (the priority order of the RADIUS server). The controller tries Index 1 first, etc.
5. Enter RADIUS Server IP Address.
6. Shared Secret Format for now set to ASCII.
7. Enter the Shared Secret and Confirm the Shared Secret (Be sure to use the exact Shared Secret you used in NPS).
8. Click on Wireless. In the left hand pan click Authentication. You will see the IP address and port number 1812 of Radius Server. You need to match the RADIUS Authentication port with the port you are using in NPS. (Remember, you set that first on NPS above)
9. Click Accounting. Click New on right hand top corner. You will be presented with a window to add a server, use the same Shared Secret and Port 1813.
10. Apply changes.
11. To add another RADIUS server Choose SECURITY > AAA > RADIUS > Authentication and then click New to navigate to this page.
12. Click on the WLANs Tab >Click on a WLAN>Click on General Tab>Check Enable on Status and Check Enabled on broadcast SSID
13. Click on the Security Tab>Click Layer2 Tab>Select WPA+WPA2 from Layer2 security drop-down list>Check WPA policy and the same page, enable AES and in Auth Key Mgmt, select 802.1x. Now click the Apply button.
14. Click on AAA Servers>Select Authentication and Accounting server NPS.
15. Ensure that Enable is checked for both Authentication and Accounting radio button. Click Apply.
Remember to think about the RADIUS process and your policies as you troubleshoot;
The shared secrets are mismatched
The NPS Server certificate is not in the wireless client's trusted root (laptop)
You are evaluating user dial-in properties and don't mean to.
Your policies don't grant access or don't match.
Use the logs and the Microsoft Reason Codes.
Review appropriate Cisco WLC documentation http://www.cisco.com/en/US/partner/tech/tk722/tk809/technologies_configuration_example09186a0080782507.shtml
Finally, remember that this is a baseline test server to prove your wireless system works. Before deploying you will want to look at other conditions and constraints for limiting access and authentication by building your security in layers. And you will want to test the system and run security audits. Run the Best Practice Analyzer from Microsoft and consider adding Smart Cards or tokens to your installation. http://technet.microsoft.com/en-us/library/ee922674(WS.10).aspx
I have this setup working in several installations. I will prepare a guide and post it here and to Technet so the information is available from each side. The best way to understand the interaction of Client > WLC > RADIUS is to study how radius works and mock up a test lab first. There is actually quite a lot that you can do with this setup once you get the infrastructure in place. You can look for my earlier posts on getting around legacy LEAP for WDS in posts here and on Microsoft's sites here;
Look here for another post soon with a guide to one possible solution set.