Ruijie WLAN Products

Wireless Controller Authentication Integration

Configuration Case Study

Document Version V1.0

Archived Date 2021-07-01
copyright © 2021 Ruijie Networks
Copyright Statement
copyright © 2021 Ruijie Networks
All rights reserved for this document and this statement.
Without written permission from Ruijie Networks, no unit or individual may copy, excerpt, backup, modify,
disseminate, translate all or part of the content of this document into other languages, or use it all or part of it for
commercial purposes.

、 and other Ruijie Network trademarks are trademarks of Ruijie Network.

All other trademarks or registered trademarks mentioned in this document are the property of their respective
owners.
Disclaimer
The products, services, or features you have purchased or are using are subject to commercial contracts and
terms. Some or all of the products, services, or features described in this document may not be within the scope
of your purchase or use. Unless otherwise specified in the contract, Ruijie Networks makes no express or
implied statements or warranties regarding the content of this document.
Due to product version upgrades or other reasons, the content of this document will be updated periodically.
Ruijie Networks reserves the right to modify the content of the document without any notice or prompt.
This manual is for reference only. Ruijie Networks has made every effort to ensure the accuracy and reliability of
the information in this manual, but does not guarantee that the manual is free from errors or omissions. All
information in this manual is provided on an "as is" basis without any express or implied warranties.

i
 Introduction
Target audience
This book is suitable for the following individuals to read.
 Network Engineer
 Technical promoter
 Network administrator

Technical Support
 <r>Official website of Ruijie Networks: http://www.ruijie.com.cn</r>
 Ruijie Networks official website service and support section: http://www.ruijie.com.cn/fw/
 Ruijie Networks 7*24h Intelligent Customer Service Lightning Rabbit: http://ocs.ruijie.com.cn
 <ruijie>7*24h technical service hotline: 4008-111-000</ruijie>
 <r> Ruijie Network Technology Forum: http://bbs.ruijie.com.cn/portal.php </r>
 Ruijie Network After-sales Service Tool - Xiao Rui Cloud Service:
http://www.ruijie.com.cn/special/fw/tool/xryf/
 <r>Support and Feedback Email for Ruijie Network Technology: [email protected]</r>

XiaoRui Cloud Service App Ruijie Service Official Account

This book is agreed upon.

1. 命令行格式约定

Command Line Format Explanation

Command line keywords (the part that must be entered exactly as shown in the
<strong>Bold</strong>
command) are represented in bold font.

Italic 命令行参数（命令中必须由实际值进行替代的部分）采用斜体表示

[] Indicates the part enclosed in [ ] is optional when configuring the command.

{ x | y | ... } To select one option from two or more options

[ x | y | ... ] To select one or more options from two or more choices, or to choose none.

// A line starting with double slashes is considered as a comment line.

2. Graphical User Interface Format Convention

界面图标 Inter-
Explanation For example
face icons

<> <button></button> Confirm

Menu item, dialog box name, page name, tab The menu item "System Settings" can be
[]
name simplified [System Settings]

<select>[System Settings]>>[System
>> Hierarchical page, sub-menu item
Administrator]</select>

“” Configuration items, prompt messages, links "Save configuration successful" as

1
 界面图标 Inter-
Explanation For example
face icons

prompted in the dialog box

Click the "Enable" option
点击“忘记密码”链接

3. Various Types of Markers

This book also uses various prominent signs to indicate places where special attention should be paid during
the operation process. The meanings of these signs are as follows:

Warning
Rules that users must strictly abide by. Ignoring such information may result in personal danger or equipment
damage.

Attention
Important information that users must be aware of. Ignoring such information may result in functionality failure
or performance degradation.

Explanation
Used to provide supplementary, declarative, prompt, etc. Ignoring such information will not lead to serious
consequences.

Product/Version Support
Explanation for providing product or version support.

4. Instructions
 The port types in the example section of this manual may not match the actual ones. In actual operation,
configuration should be based on the supported port types of each product.
 In the displayed information of the examples in this manual, there may be content from other product series
(such as product models, descriptions, etc.). Please refer to the actual device information for specific
displayed information.
 The routers and router product icons mentioned in this manual represent routers in a general sense, as well
as Layer 3 switches that run routing protocols.

2
 Table of Contents
Introduction...........................................................................................................................................1
1 Configuring the integration between Ruijie AC and NPS (Network Policy Server)........................1-1
1.1 Configuration Example for Wireless 802.1X Authentication..................................................1-1
1.1.1 Introduction to Wireless 802.1X Authentication.........................................................1-1
1.1.2 Products and versions used in the configuration examples.......................................1-1
1.1.3 Network Requirements...............................................................................................1-1
1.1.4 Network diagram........................................................................................................1-2
1.1.5 Configuration Key Points............................................................................................1-3
1.1.6 Configuration Steps....................................................................................................1-3
1.1.7 Verify Configuration Results.......................................................................................1-6
1.1.8 Common Errors..........................................................................................................1-6
2 Appendix.........................................................................................................................................2-6
2.1 Deploy NPS Server................................................................................................................2-6
2.1.1 NPS server operating system....................................................................................2-6
2.1.2 Install AD Domain Server...........................................................................................2-7
2.1.3 Install CA server.......................................................................................................2-22
2.1.4 Install Server Certificate...........................................................................................2-32
2.1.5 Install NPS Server....................................................................................................2-36
2.1.6 Configure NPS Server..............................................................................................2-39
2.1.7 Client PC joins the domain and installs certificates.................................................2-57

3
1 Configuring the integration between Ruijie AC and
NPS (Network Policy Server)
1.1 Configuration Example for Wireless 802.1X Authentication
1.1.1 Introduction to Wireless 802.1X Authentication
The 802.1X protocol is a port-based network access control protocol that operates in a client/server mode. It
utilizes the Extensible Authentication Protocol (EAP) framework to authenticate and control network access for all
connected clients at the LAN interface level.
When 802.1X is applied to wireless network access authentication, a secure channel is established between the
authentication client and the authentication server through the encryption mechanism of PEAP certificates,
ensuring that the data within EAP is encrypted using certificates. This greatly enhances the security and
reliability of 802.1X authentication in wireless network applications. It is generally suitable for newly built
networks, scenarios with centralized users, and strict information security requirements.

1.1.2 Products and versions used in the configuration examples

表1-1 Products and versions used in the configuration examples

Device Type Device Name Version

WLAN AC RG-WS6812 AC_RGOS 11.9(6)B3, Release(08161619)

Authentication
NPS (Network Policy Server) Building on WIN SERVER2008R2
Server

1.1.3 Network Requirements

To ensure information security, users need to use an 802.1X client to authenticate themselves by entering their
username and password when connecting to a WLAN network. Only after successful authentication can they
access the Internet.
 Install 802.1X client software on the user terminal (built-in operating system, or Ruijie Supplicant, or other
client software that complies with the IEEE802.1X standard).
 Wireless controllers support the 802.1X protocol.
 The authentication server supports the standard RADIUS.

1
1.1.4 Network diagram

图1-1 Network Diagram for Integration with Huawei Agile Controller-Campus Server

Router A

G0/1
172.29.26.254/24
Loopback 0
63.254.254.34/32 G0/4
172.29.26.1/24
SVI 1 G0/3
63.57.1.34/24 172.29.25.254/24
SVI 1 Switch A 172.29.25.130/24
63.57.1.254/24
AC SVI 2 RADIUS Server
63.57.2.254/24
SVI 3
63.57.3.254/24

Switch B

AP

STA STA
管理VLAN：VLAN 2
业务VLAN：VLAN 3

Network Configuration Guide:

 NPS (Network Policy Server) server is reachable from SwitchA at Layer 3.
 Communicate with SwitchA by hanging AC on it.
 SwitchA acts as a DHCP server to assign IP addresses to AP and STA.
 SwitchB provides power to AP as a PoE-powered switch.
 The WLAN authentication method for wireless user access is 802.1X.

表1-1 Configuration Information Description on Access Device (AC)

Information item Instructions

AC Management VLAN <VLAN 1></VLAN 1>

AC Management IP IP address

IP address used to establish

IP address
CAPWAP tunnel for AC

Management VLAN for AP 2

AP Address Pool AP_VLAN_2: IP address~IP address

AP group to which the AP belongs <huawei></huawei>

2
 Information item Instructions

STA's business VLAN 3

STA Address Pool STA_VLAN_3: IP address~IP address

SSID Name 802.1x-huawei

RADIUS authentication server group: NPS

RADIUS Authentication Parameters RADIUS Authentication Server: IP Address
Authentication Billing Shared Key: ruijie@123

List of authentication methods: NPS

AAA Method List
Accounting method list: nps

表1-2 NPS Server Configuration Information Explanation

Information item Instructions

Access Device IP Address IP address

RADIUS Shared Secret ruijie@123

Authentication account ruijie/ruijie@123

1.1.5 Configuration Key Points

 Configure network connectivity.
Configure SwitchA.
Configure SwitchB.
Configure AC.
 Configure AP online.
Configure SwitchA as a DHCP server to assign IP addresses to AP and STA.
Create a wireless signal and AP group on the AC, and associate the wireless signal with the created AP
group.
Add the offline AP to the created AP group on the AC.
 Configure 802.1X authentication parameters.
Configure RADIUS authentication server.
Configure AAA method list.
 Enable 802.1X authentication.
 Configure NPS server.
Add access device.
Add authentication account.
Refer to the appendix for detailed steps to deploy the NPS server.

1.1.6 Configuration Steps

1. Configure network connectivity
(1) Configure SwitchA.

SwitchA> enable
SwitchA# config terminal
SwitchA(config)# interface GigabitEthernet 0/1

3
 SwitchA(config-if-GigabitEthernet 0/1)# switchport mode trunk
SwitchA(config-if-GigabitEthernet 0/1)# description to_AC
SwitchA(config-if-GigabitEthernet 0/1)# exit
SwitchA(config)# interface GigabitEthernet 0/2
SwitchA(config-if-GigabitEthernet 0/2)# switchport mode trunk
SwitchA(config-if-GigabitEthernet 0/2)# description to_SwitchB
SwitchA(config-if-GigabitEthernet 0/2)# exit
SwitchA(config)# interface GigabitEthernet 0/3
SwitchA(config-if-GigabitEthernet 0/3)# description to_Huawei_Agile_Controller
SwitchA(config-if-GigabitEthernet 0/3)# no switchport
SwitchA(config-if-GigabitEthernet 0/3)# ip address IP address IP address
SwitchA(config-if-GigabitEthernet 0/3)# exit
SwitchA(config)# interface GigabitEthernet 0/4
SwitchA(config-if-GigabitEthernet 0/4)# no switchport
SwitchA(config-if-GigabitEthernet 0/4)# ip address IP address IP address
SwitchA(config-if-GigabitEthernet 0/4)# exit
SwitchA(config)# interface vlan 1
SwitchA(config-if-VLAN 1)# ip address IP address IP address
SwitchA(config-if-VLAN 1)# vlan 2
SwitchA(config-vlan)# interface vlan 2
SwitchA(config-if-VLAN 2)# ip address IP address IP address
SwitchA(config-if-VLAN 2)# vlan 3
SwitchA(config-vlan)# interface vlan 3
SwitchA(config-if-VLAN 3)# ip address IP address IP address
SwitchA(config-if-VLAN 3)# exit
SwitchA(config)# ip route IP address IP address IP address
SwitchA(config)# ip route IP address IP address IP address
(2) Configure SwitchB.

SwitchB> enable
SwitchB# config terminal
SwitchB(config)# vlan range 2,3

SwitchB(config-vlan-range)# exit

SwitchB(config)# interface GigabitEthernet 0/1

SwitchB(config-if-GigabitEthernet 0/1)# switchport mode trunk
SwitchB(config-if-GigabitEthernet 0/1)# exitSwitchB(config)# interface GigabitEthernet 0/2
<tr>SwitchB(config-if-GigabitEthernet 0/2)# switchport mode trunk</tr>
SwitchB(config-if-GigabitEthernet 0/2)# switchport trunk native vlan 2
SwitchB(config-if-GigabitEthernet 0/2)# exit
SwitchB (config)# exit
(3) Configure AC.

AC> enable

AC# configure terminal

AC(config)# interface gigabitEthernet 0/1

4
 <tr>AC(config-if-GigabitEthernet 0/1)# switchport mode trunk</tr>

AC(config-if-GigabitEthernet 0/1)# interface VLAN 1

AC(config-if-VLAN 1)# ip address IP address IP address

AC(config-if-VLAN 1)#interface loopback 0

AC(config-if-Loopback 0)# ip address IP address IP address

AC(config-if-Loopback 0)# vlan range 2,3

AC(config-vlan-range)# exit

AC(config)# ip route IP address IP address IP address

2. Configure AP online
(1) Configure SwitchA as a DHCP server to assign IP addresses to AP and STA.

SwitchA(config)# service dhcp

SwitchA(config)# ip dhcp server pool AP_VLAN_2
SwitchA(dhcp-config)# network IP address IP address
<option>138 ip</option> is used to configure the IP address for option 138 in the DHCP
configuration of SwitchA.
SwitchA(dhcp-config)# default-router IP address
SwitchA(dhcp-config)# exit
SwitchA(config)# ip dhcp server pool STA_VLAN_3
SwitchA(dhcp-config)# network IP address IP address
SwitchA(dhcp-config)# dns-server IP address
SwitchA(dhcp-config)# default-router IP address
SwitchA(dhcp-config)# exit
SwitchA(config)# exit

(2) Create wireless access signals and AP groups on the AC, and associate the wireless signals with the
created AP groups.

AC(config)# wlan-config 1000 npstest

AC(config-wlan)# ap-group nps

AC(config-group)# interface-mapping 1000 3

AC(config-group)# exit

(3) Add the offline AP to the created AP group on the AC.

AC(config)# ap-config AP180L

AC(config-ap)# ap-group nps

AC(config-ap)# exit

3. Configure parameters related to 802.1X authentication

(1) Configure RADIUS authentication server.

5
 AC(config)# radius-server host IP address key ruijie@123
(2) Configure AAA method list.

Method to configure under the aaa domain when the environment is not enabled

AC(config)# aaa new-model

AC(config)# aaa group server radius npstest

AC(config-gs-radius)# server IP address

AC(config-gs-radius)# exit

AC(config)# aaa authentication dot1x nps group npstest

AC(config)# aaa accounting network nps start-stop group npstest

If AAA domain authentication is enabled in the environment, configure as follows:

AC(config)# aaa new-model

AC(config)# aaa group server radius npstest

AC(config-gs-radius)# server IP address

AC(config-gs-radius)# exit

AC(config)# aaa authentication dot1x nps group npstest

AC(config)# aaa accounting network nps start-stop group npstest

AC(config)#aaa domain enable

AC(config)# aaa domain npstest.com

AC(config)# authentication dot1x nps

AC(config)# accounting network nps

4. Enable 802.1X authentication

AC(config)# dot1x multi-account enable // This command needs to be configured, there may be a
situation of terminal account switching in the AAA domain authentication environment

AC(config)# wlansec 1000

AC(config-wlansec)# security rsn enable

AC(config-wlansec)# security rsn ciphers aes enable

AC(config-wlansec)# security rsn akm 802.1x enable

AC(config-wlansec)# exit

AC(config)# exit

6
 5. Configure NPS Server
NPS server deployment and configuration can be found in the appendix.

1.1.7 Verify Configuration Results

After the successful authentication of the wireless user access, use the "show dot1x summary" command to
check that the user with the username "ruijie" has successfully come online.

AC#show dot1x summary

ID Username MAC Interface VLAN Auth-State Backend-

state Port-Status User-Type Time

--------- ------------------------------ -------------- --------- ---- ---------------

------------- ----------- --------- -----------------

74 host/ruijie.npstest.com f003.8c84.5ac5 wlan 1000 3 Authenticated Idle

Authed static 0days 0h35m 6s

1.1.8 Common Errors

 The shared secret on the AC for configuring the RADIUS authentication server is inconsistent with the
shared secret on the NPS server.
 Incorrect certificate selection in NPS EAP settings.

2 Appendix
2.1 Deploy NPS Server
This section describes how to deploy an NPS server in the Windows Server 2008 R2 Enterprise operating
system to authenticate devices against AD domain and perform wireless dot1x authentication. The NPS server
requires the deployment of AD domain services, AD certificate services, DNS services, WEB Server (IIS), and
NPS services.

2.1.1 NPS server operating system

表2-1 NPS Server Operating System

Server Type Operating System Instructions

Windows NPS Provide services for certificate application,

Windows Server 2008 R2 Enterprise
Server issuance, revocation, etc.

2.1.2 Install AD Domain Server

1. Change the DNS address of the server
Select [Control Panel] >> [Network and Internet] >> [Network Connections], and change the "Preferred
DNS server" of the server to the local IP address.

7
图2-1 Modify the "Preferred DNS Server" of the CA server

2. Add "Active Directory Domain Services" role

(1) Click "[Start] >> [Administrative Tools] >> [Server Manager]" to open Server Manager (or directly click the
shortcut menu next to the "Start" menu). Click the [Roles] menu on the left and click the "Add Roles" button
in the [Roles Summary] area on the right.

图2-1 Click "Add Role"

(2) <select>Check the "Active Directory Domain Services" checkbox and click "Next"</select>

8
图2-1 Select Server Role

图2-2 Introduction to Active Directory Domain Services

9
(3) Click "Install" to start installing the domain service

图2-1 Confirm installation selection

(4) After completing the installation of the domain service, you can click "Close" or click "Close this wizard and
launch the Active Directory Domain Services Installation Wizard (dcpromo.exe)" to automatically open the
domain controller configuration interface.

10
图2-1 Installation Result

3. Install Active Directory Domain Controller

(1) On the [Active Directory Domain Services Installation Wizard] page, select "Use advanced mode installation"
and proceed to the next step.

11
图2-1 Check "Use Advanced Mode Installation"

(2) In the "Operating System Compatibility" pop-up, it indicates some improvements of the new version of Active
Directory Domain Services. Skip this step and proceed to the next step.

12
图2-1 Operating System Compatibility Selection

(3) Select this domain controller to "Create a new domain in a new forest".

图2-1 Create a new domain in the New Forest

13
(4) When you click "Next", if you receive the following error message, you need to enter the following command
in the command line: net user username password passwordreq:yes.

图2-1 The local Administrator account does not meet the requirements.

(5) The name of this domain is specified, and because it is the first domain in the forest, it is also called the root
domain.

图2-1 Enter the root domain name

The domain created in this experiment is npstest.com. Create the domain according to actual needs.

(6) "域的 NetBIOS 名称"默认是 ADTEST。由于 NetBIOS 名称中的"."是非法字符，因此域的 NETBIOS 名称基本

上就是域名中"."之前的部分。在此，默认不需要更改。

14
图2-1 NetBIOS domain name

NetBIOS names are based on domain names, by default it is the top-level domain name before .com, in
this experiment it is NPSTEST

(7) Set the "Forest Functional Level". The forest functional level selected here will affect the domain controllers
that can be added later.

15
图2-1 Set Forest Functional Level

(8) Set "Domain Functional Level" to ensure stronger domain functionality, the domain functional level should be
set to the lowest operating system used in the domain.

16
图2-1 Domain Functional Level

(9) After clicking "Next", the DNS configuration will be checked.

17
图2-1 Check DNS configuration

(10) Since we have not installed the DNS service, you will need to check "Install DNS service".

18
图2-1 Install DNS service

(11) In the pop-up warning message, select "Yes" to ignore the warning and continue with the execution, then
proceed to the "Next" step.

19
图2-1 Install DNS server

(12) The configuration of the AD database, logs, and SysVOL storage location. Generally, it is recommended to
store the database and log files in different locations.

20
图2-1 Set the location of the database, log files, and SYSVOL.

(13) Restore password for setting up directory services. It is required when restoring Active Directory from a
backup.

21
图2-1 Restore password for setting directory service

(14) After all the above steps are set up, the configuration will be summarized in the form of a summary for
review.

22
图2-1 Domain Service Summary Information

(15) If the configuration is correct, proceed to the next step to start the installation.

23
 图2-1 Start Installation

(16) After the installation is complete, you will be prompted to restart the computer. Once restarted, the setup of
the AD domain controller is complete.

图2-1 重启计算机

2.1.3 Install CA server

(1) Log in to the domain server with the Administrator username, click "[Start] >> [Administrative Tools] >>
[Server Manager]" to open Server Manager. Click the "Roles" menu on the left, and in the "Roles Summary"
area on the right, click the "Add Roles" button.
(2) On the "Select Server Roles" page, check the "Active Directory Certificate Services" checkbox. Click "Next"
twice.

24
图2-1 Select "Active Directory Certificate Services"

图2-2 Introduction to Active Directory Certificate Services

(3) On the "Select Role Services" page, select the checkboxes for "Certificate Authority", "Certificate Authority
Web Enrollment", and "Online Responder", and then click "Next".

25
图2-1 Select Role Service

(4) On the "Specify Installation Type" page, click "Enterprise" and then click "Next".

图2-1 <translation>Installation Type</translation>

26
(5) On the "Specify CA Type" page, click "Root CA", and then click "Next".

图2-1 CA type execution

(6) On the "Private Key" page, you can configure optional configuration settings. Use the default configuration
"Create New Private Key" here, and then click "Next".

27
图2-1 Set Private Key

(7) On the "Encryption" page, configure the encryption service provider with the default settings, and then click
"Next".

图2-1 Configure Encryption for CA

28
(8) In the "Common name for this CA" box, you can leave it unchanged by default, which is the computer name
of the domain-server calculation. Then click "Next".

图2-1 Configure CA name

(9) On the "Set Certificate Validity Period" page, accept the default validity period of the root CA, and then click
"Next".

29
图2-1 Set certificate validity period

(10) On the "Configure Certificate Database" page, accept the default values or specify alternative storage
locations for the certificate database and certificate database log, and then click "Next".

30
图2-1 Configure Certificate Database

(11) On the "Web Server (IIS)" page, simply click "Next".

图2-1 Web Server Installation

31
(12) On the "Role Services" page, use the default configuration and then click "Next".

图2-1 Add the role service for the Web server

(13) <a href="javascript:;" onclick="return false;">Click "Install" after verifying the information on the "Confirm
Installation Selection" page.</a>

32
图2-1 Confirm Installation Selection

(14) Verify the installation by checking the configuration information.

图2-1 Confirm installation result

33
2.1.4 Install Server Certificate
1. Browser Settings
(1) In the IE browser, go to Tools -> Internet Options -> Security, add the trusted site, and add
http://localhost/certsrv to the trusted site.
(2) Set a secure custom level to initialize and execute ActiveX controls that are not marked as safe for scripting
in the ActiveX options.
(3) Remove the check mark in front of "Disable script debugging" in Advanced.

34
2. Apply for server-side certificate and install
(1) Access http://serverip/certsrv, log in with the management account and password of the PC, and follow the
instructions in the image to apply for a certificate.

35
36
Apply for a certificate for the web server, it is recommended to name it after the server's computer name, keep
other options as default, and click submit to submit the application.

Click YES to apply for the certificate. After the application is completed, click "install this certificate" to install the
certificate.

37
 After the certificate installation is completed, follow the steps indicated in the figure to view the certificate. The
newly applied certificate has been installed successfully.

2.1.5 Install NPS Server

(1) Click "[Start] >> [Administrative Tools] >> [Server Manager]" to open Server Manager. Click the "Roles"
menu on the left, and in the "Roles Summary" area on the right, click the "Add Roles" button.
(2) Select network policies and access services for installation.

38
图2-1 Select Network Policy and Access Service

图2-2 Select Next Step

39
图2-3 Select Network Policy Server

40
 Network policies and access services are now installed. If prompted to restart the PC, please restart. If there is
no prompt, continue with the configuration.
After the above steps, we have completed the installation of: AD Domain Services, DNS Services, AD Domain
Certificate, WEB Server (IIS), Network Policy and Access Services.

2.1.6 Configure NPS Server

1. Adding Users and Groups in AD Domain Services
(1) Configure groups and users in AD Domain Services. Select the AD domain server, choose "user", right-click
and select "new", then select "group".

图2-1 Create a new group in the user of the Active Directory domain

41
(2) After creating the group, proceed to create a new user. Select "user", right-click and choose "new", "user".

图2-1 Create a new user in the AD domain.

42
Passwords must meet complexity requirements and include letters, special characters, and numbers.

(3) <Double-click on the "ruijie" account to set the properties for the user, including the dial-in property and the
member of property.

43
图2-1 <User Property Settings>

44
The process of setting the Member of attribute is as follows: select add -> advanced -> find now, and in the
search result section at the bottom, select the groups as shown in the above figure. Select the domain admin,
domain users, and the wirelessac group created in the previous step. In this way, the username and groups are
set. For these three groups, the default group is Domain Users. In order for the username "ruijie" to have remote
access, it is added to the Domain Admins group. The wirelessac group is used for security policies.

2. Enable NPS service.

Right-click and select "Register Server in Active Directory". During the registration process, you will be
prompted to enable the NPS service.

3. Add radius client

Add radius client, which is the AC device we need to connect to.

45
Select the radius client to add the AC device. The shared secret and the key configured in the "radius-server
host IP address key ruijie" command on the device should be consistent.

<a>After setting is completed, click OK to add the device successfully.</a>

46
 4. Set up wireless 802.1x authentication template
Set up wireless 802.1x authentication template for AC
NPS(Local)->RADIUS server for 802.1x wireless or wired connections->configure 802.1x

47
Select the AC devices to be connected. The image shows the two devices that have been added in the previous step in
the RADIUS client. If the devices have not been added yet, you can choose "Add" in this step to add new devices.

48
Select PEAP, and then click configure to set it up

Select the server-side certificate applied in the figure, do not select another root certificate of -CA, click OK, return to the
configuration interface and click Next.

49
Enter the configuration of the group, go to add->advanced->find now, select the group configured earlier, click on check
name after selecting, if the warning shown in the figure below appears, click close, then check name again and add the
group. The result of the addition is shown in the figure below.

An error occurred. Simply click close, then check the name again.

50
Enter traffic control configuration and check the radius-related properties as shown in the figure below.

51
Click finish to complete the configuration. A new 802.1x configuration template has been added for AC1.

5. Configure NPS Network Policies

Select network policies->Select the newly created 802.1x template->Check "grant access" to allow access

52
53
Check if the PEAP-related settings in authentication are correct, and verify if the selected certificate is accurate.

54
View the radius attributes in the settings and set the result as shown in the figure.

55
6. Set NPS Connection Request Policies
Set up NPS connection request policies, the setup method is similar to network policy setup, mainly for
checking the relevant settings, mainly checking the EAP settings section.

56
Click Edit to check the EAP settings, mainly to check if the certificate selection is correct.

57
58
Configuration completed.

2.1.7 Client PC joins the domain and installs certificates

1. Joining a PC to a domain
This document provides instructions for operating on a PC with the Windows 10 system. Similar operations can
be performed on other Windows systems.
Desktop Select Computer->Right-click Properties->Find Advanced System Settings->Select Change->Change the
domain to which the PC belongs->Select Other, check the settings to prevent any residual configurations from previous
domain memberships. After the settings are completed, wait for the PC to successfully join the domain. After the PC
joins the domain successfully, it will prompt for a restart. Restart the PC. After the PC restarts, log in to the PC with the
administrator's management account first.

59
2. Check and set PC on the server side
To check if the PC has joined the domain on the server side, go to Server Manager -> Active Directory Domain
Services -> Computers (in the right window, check if the PC has successfully joined the domain, find the
corresponding PC, right-click and select Properties) -> Member Of (as shown in the figure below, add the PC to
the group created earlier, in this example, it is added to the wireless ac group) -> On the Dial-in tab, select Allow
access or control access through NPS network policy.

60
61
3. Export CA Root Certificate and Client Certificates on the Server Side
(1) Export the CA root certificate on the server side. On the homepage of the CA certificate, select [Download
CA Certificate, Certificate Chain, or CRL], and click on the "Download CA Certificate" link to download the
CA root certificate "certnew-root.cer" through the browser. Save the root certificate.

(2) Export Client Certificate on the Server Side

62
a On the server, log in to http://server-ip/certsrv using the client's account and password that was added
earlier. Select [Request a Certificate] >> [Advanced Certificate Request] >> [Create and submit a
request to this CA]. On the "Advanced Certificate Request" page, select "User" as the "Certificate
Template" and leave the rest as default. Click the "Submit" button. Once completed, install the
certificate.

63
64
Tools -> Internet Options -> Content -> Certificates -> Select the certificate exported for the just logged-in
username -> Export
b Export Certificate
In the next dialog box, select "Yes, export the key" and continue clicking "Next" to set the key as "ruijie123" and
the certificate file name as "ruijie-client". Click "Finish". Click "Browse" to view the client certificate that has been
downloaded to your computer.

65
66
 c Copy the CA root certificate and client certificate generated on the server side to the client PC, and
install them. Note that the client PC needs to be logged in with the administrator account, otherwise
there may be insufficient permissions during the certificate installation process.

4. Install CA Root Certificate on Client PC

For illustration purposes, the following explanation is based on the client of the Win10 system.

67
(1) <Double-click to open the CA root certificate, click the "Install Certificate" button, and on the next page,
select "Local User".

图2-1

(2) <Select>Choose "Certificate Store" as "Trusted Root Certification Authorities" and click "Next".</Select>

68
图2-1 <select>Choose Certificate Storage</select>

(3) If a "Security Warning" message appears, click "Yes" to complete the CA root certificate import.

图2-1 Security Warning

5. Install Client Certificate

(1) <Double-click to open the client certificate, click the "Install Certificate" button, select "Local User" on the
next page, and click the "Next" button.

69
图2-1 Open client certificate

(2) Select the client file to import

In the "Select the file to import" dialog box, choose the client certificate and click "Next".

图2-1 Select the client file to import

(3) "Private Key Protection" page, enter the key set during the client certificate application process. For details,
please refer to the "Set Export Key" section.Error: Reference source not found

70
图2-1 Set Private Key Protection

(4) "Select 'Certificate Store' and choose 'Automatically select certificate store based on the type of certificate',
then click 'Next'."

71
图2-1 Select "Certificate Storage"

Click "Finish".

6. Connect the PC to the 1x SSID

For example, let's take the Windows 10 system:
If AAA domain authentication is performed on the PC side, then the following:
(1) Click directly to enable the 1x SSID. The PC will default to authenticate using the PC name + domain name
(e.g., "host/limin.npstest.com") as the username for 1x authentication on the NPS server. The PC has been
added to the computer list on the server, so it can be authenticated using this method directly.

72
图2-1 Show dot1x summary

If the PC end does not perform AAA domain authentication

On the PC side, if the computer name fails, a username and password input box will pop up. You can directly
enter the account created earlier, [email protected], for authentication.

73