How To Configure 802.1x (WPA2-EAP) Wireless Security Using Network Policy Server/RADIUS (NPS)

Here I will document how to setup a WPA2-EAP (sometimes also known as WPA2-Enterprise) using 802.1x using RADIUS. In this example I will be using Microsoft Network Policy Server (NPS) as the RADIUS server.

Network Layout:

  • Domain Controller/Certificate Authority – 192.168.0.254
  • NPS Server – 192.168.0.253
  • Wireless Access Point – 192.168.0.252
  • Wireless AD Group – Wireless-Users

EAP Certificate

First, we must prepare for the EAP authentication by getting a security certificate. The easiest way to accomplish this is to install Certificate Services on a Windows Server (if you are using Active Directory, I would recommend installing this on a Domain Controller, as this will automatically enable LDAPS). Goto the Server Manager, and add the Active Directory Certificate Services role, and add the Certificate Authority role service. For this example, lets keep things simple and stick to the defaults for a Domain based installation. A certificate will be created by default, which is what we will use later.

Wireless Access Group

Seeing as we probably don’t want people logging until the network as Guest, or attempting to crack the domain administrator password, we are going to create an AD security group for the specific purpose of explicitly allowing people to connect to the wireless network. AD Users and Groups, create a new group, and call it Wireless-Users (group type will be Security). Click on the Members tab, and add the users you want to be able to connect to the wireless network (you can also delete/disable the user to revoke access, as well as remove the user from this group to revoke access).

RADIUS /  NPS Configuration

Next, we need to install NPS on one of our Windows servers. Using Server Manager, add the Network Policy and Access Services role. Add the Network Policy Server and Routing and Remote Access Services role services.
Once that is done, using the Server Manager, goto Roles > Network Policy Server > NPS (Local). Within Standard Configuration, select RADIUS server for 802.1X Wireless or Wired Connections, and click on Configure 802.1X.NPS-1
We will go through the wizard, and select the following options:

  1. Network Connection Type: Secure Wireless Connections (Name can be the default)
  2. RADUIS Clients:
      • Click on Add, and Insert the Friendly name of the Access Point (for this example, we will use AP01.
      • For the IP address, enter in the IP address or DNS name for the AP (in this example, it’ll be 192.168.0.252).
      • Our password will be manual, and for this example we will use RADIUSPassword (We’ll need this later).

    NPS-2

  3. Once you click ok, then select the new RADIUS client from the list and click on Next.
  4. For the EAP Type, select Microsoft: Protected EAP (PEAP), and click on Configure. Make sure that the new certificate that you created earlier is selected, and then click on OK, and then Next.
  5. For the groups, click on Add, and select the new Wireless-Users group that you created earier, and click on Next.
  6. Skip through the Traffic controls, and then click on finish.

Once the wizard is finished, we will need to go and make a small minor change. In the Server Manager, goto Roles > Network Policy Server > NPS (Local) > Policies > Network Policies and double click on the new policy that was created (by default, it’s Secure Wireless Connections).
NPS-3

Click on the Constraints tab, and select Authentication Methods. Click on Add, and select Microsoft: Secured Password (EAP-MSCHAP v2). (for some older wireless devices, you may need to come back here and enable some of the less secure methods, but I would suggest only enabling them as needed). Click on OK, and you should be done with the NPS configuration!

Access Point Configuration

Next we will need to configure the wireless access point for WPA2-EAP. This will vary depending on your access point, but generally it will consist of the basic settings:

  • Security Type: WPA2-EAP (also known as WPA2-Enterprise or WPA-Enterprise)
  • RADIUS Server (or 802.1X Server): IP Address of your NPS server (in this example, it is 192.168.0.253)
  • RADIUS Server Password: Use the same password that you set for the for the RADIUS client when setting up the NPS Server (in this example, it’s RADIUSPassword).

Connecting Your Mobile Device

So now we get test our connection to make sure everything works. I have an Android 4.3 phone, so I will connect to the network, and set the following:

  • EAP Method: PEAP
  • Phase 2 Authentication: MSCHAPV2
  • Identity: My Active Directory Username (don’t worry about including the domain name)
  • Password: The password for my Active Directory user.

Android 4.3 EAP Connection

If everything is working right, you should be connected and ready to go!

If something doesn’t work, check the event logs on the NPS server to see the error. I initially had an unknown login error, which by looking at the error I had used the RADIUS client IP of my Wireless Controller rather than the AP (changing it to the AP IP address worked, which also prompted me to start statically assigning IP addresses to the AP’s). I then had an error that said the login failed because it could not negotiate the EAP method. It turned out that most tutorials don’t mention that you have to assign PEAP a certificate, which is why I included that in this article).

In a future article I’ll explain how to use Group Policy Objects to grant access to the wireless network automatically.

This entry was posted in Networking and tagged , , . Bookmark the permalink.

Comments are closed.