Scribd
Upload
21 views8 pages

Win2008 Config Guide

Uploaded by

Dinhornd
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
21 views8 pages

Win2008 Config Guide

Uploaded by

Dinhornd
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 8

802.

1X configuration guide for


Trapeze and Windows 2008 Server
In this example we are going to make the wireless users that connect to the Trapeze wireless solution use 802.1X
authentication against the RADIUS server installed on a Windows 2008 Server machine.

The users database is the Active Directory on the same Windows 2008 machine.
The only attribute provided back from the Radius server is the name of the VLAN (in this case, default).

For the Trapeze system I used an MXR‐2 and an MP‐372. The configuration of the MXR‐2 looks like this:

As you see it’s a basic configuration:


‐ WPA/TKIP encryption for the SSID
‐ 802.1X authentication configured in pass‐through mode against a RADIUS server
‐ the RADIUS server details are the ones of the Windows 2008 Server machine

The biggest difference in Windows 2008, as you will see, it’s that IAS is no longer present. Its place was taken by
NPS (Network Policy Server) which includes other things as well.

It’s mandatory that you have installed the following roles for the Windows 2008 Server machine (if this machine is
your domain controller you probably already have them installed):

‐ Active Directory Certificate Services


‐ Active Directory Domain Services
‐ DNS Server
‐ Network Policy and Access Services
Steps to configure the Windows 2008 Server machine:

1. Open Server Manager (in Administrative Tools)


Here you have all the services for the roles of your Windows 2008 Server.

2. Create a user and a group in Active Directory


2.1. Go to Active Directory Domain Services
2.2. Go to Active Directory Users and Computers
2.3. Select your domain
2.4. Go to Users
2.5. Right Click Users
2.6. Select New ‐> Group
2.7. Give your User Group a name (in our example it’s testgroup)

2.8. Right Click Users


2.9. Select New ‐> User
2.10. Write down the details for this user; click Next

2.11. Select the password; click Next and Finish


2.12. Double‐click the user just created
2.13. Go to Dial‐in and select Allow access for Network Access Permission
2.14. Go to Member of and select the user group created before

3. Configure NPS
3.1. Go to Network Policy and Access Services
3.2. Select NPS
3.3. Select RADIUS Clients and Servers
3.4. Select RADIUS Clients
3.5. Right‐click RADIUS Clients
3.6. Select New RADIUS Client
3.7. Put all the MX details here: friendly name, IP address and shared secret key (exactly the same as the one
configured on the MX)

3.8. Click OK to finish


3.9. Select NPS again
3.10. In the middle, in the Getting started screen, select RADIUS Server for 802.1X Wireless or Wired
Connections from the drop‐down list
3.11. Click on Configure 802.1X
3.12. Select Secure Wireless Connections and give the policies a friendly name; click Next
3.13. Make sure the Radius client configured previously appears here; click Next
3.14. In Configure an Authentication Method select Protected EAP (PEAP) from the drop‐down list
3.15. Click Configure and make sure that you have a certificate to be used for EAP (If not, at the end of this
document you will find out how to generate one)

3.16. In Specify User Groups window select Add and find and select the User group created at steps 2.6‐2.7
Note: you will always get an error when adding a group for the first time; try again and it will work
3.17. In Configure a Virtual LAN (VLAN) window select Configure
3.18. Go to the Vendor Specific attributes
3.19. Click Add, select Vendor Specific
3.20. Click Add, select Vendor Code 14525 (Trapeze), check “Yes, It conforms” button
3.21. Click Configure Attribute, select VSA number 1, attribute format String and the attribute value the name
of the users VLAN (default in my example)
3.22. After getting back, click Next and Finish
3.23. You will notice 2 policies are created: one Connection Request policy and one Network policy

Generating certificate for EAP


If at 3.15 you get an error about the certificate used by the NPS for PEAP (A certificate could be not found that can be
used with this Extensible Authentication Protocol), please do the following:

1. Open IIS Manager (from Administrative Tools Æ Internet Information Services (IIS) Manager)
2. Click on the name of your server and double‐click Server Certificates in the right
3. On the right side click on Create Self‐Signed Certificate
4. Enter a friendly name for the server (this will have very little influence on the certificate itself, the common
name will always be the FQDN of the machine – <hostname>.<domain‐name>)

5. A certificate will be generated and will appear in the list.


6. Now, if you go back to 3.15 and try to configure the EAP method you will see that a certificate is available

You might also like