You are on page 1of 12

Securing Wireless Networks with Windows Server 2008 and NPS Mat's Techblog

Page 1 of 12

Mat's Techblog
Error Installing Printers on Windows Server Core 2008 Unrealistically Fast (or Negative) Ping Responses in Server 2003 Hyper-V Guests

Securing Wireless Networks with Windows Server 2008 and NPS


Free Website For Business
Easily Create A Website In 15 Mins. Free From Google To Your Business!
www.indiagetonline.in

In this post Im going to go through the process of securing your wireless network using Windows Server 2008 and the NPS (Network Policy Services) role from start to finish. Previously, I was using Windows Server 2003 with IAS (Internet Authentication Services) to secure my wireless network, until I recently upgraded all of my servers to Windows Server 2008 By the way, NPS is the new version and name for IAS. Here is the TechNet guide which I followed http://technet.microsoft.com/enus/library/cc771455.aspx - I will be applying these guidelines to the following environment A Windows Server 2008 machine running AD DS (Active Directory Domain Services) A Windows Server 2008 machine running NPS (Network Protection Services) and AD CS (Active Directory Certificate Services) A Linksys WAP54G (an entry level wireless access point you can use any wireless access point that supports RADIUS) You can run NPS, AD DS and AD CS on the same machine if you want to, but I wouldnt recommend it (personally, I prefer to keep my domain controllers running only AD DS). Im not going to go through the process of installing AD DS as its a little out of scope for this post, so well start from having an established domain, and a clean install of Windows Server 2008 on which we will install AD CS and NPS. The first step is installing AD CS and NPS on your clean Windows Server 2008 install 1. 2. 3. 4. 5. First, youll need to join the server to your existing domain and then restart; After the server restarts, open Server Manager; Click on the Roles node; Click on the Add Roles; On the Server Roles screen, select Active Directory Certificate Services and Network Policy and Access Services; 6. Follow the wizard, selecting Network Policy Server when configuring the Network Policy and Access Services role and leaving the default Certification Authority role service selected for AD CS; 7. Select Enterprise for the setup type for AD CS;

http://techblog.mirabito.net.au/?p=87

2/1/2012

Securing Wireless Networks with Windows Server 2008 and NPS Mat's Techblog

Page 2 of 12

8. Choose Root CA for the CA Type (remember were assuming that this is the first Certification Authority in your environment, so if its not you either dont need to install this role, or if you choose you can configure this server as a Subordinate CA instead); 9. Run through the rest of the wizard, making any changes you may wish to, otherwise just leave the defaults as they are appropriate (I changed the CA Common Name to the name of the server, as I think its cleaner) Note that there is a warning at the end of the wizard, stating that the name of this server cannot be changed after installing the AD CS role. Now that you have a Root CA and an NPS server on your domain, we can start configuring it 1. Open an MMC console, and go to File -> Add/Remove Snap-in 2. Add the Certificates snap-in, selecting Computer account for the local computer; 3. Expand Certificates (Local Computers) -> Personal, right click on Certificates and choose Request new certificate; 4. Follow the wizard, choosing Computer for the certificate type and then click the Enroll button, then close MMC; 5. Open the Network Policy Server administrative console from Administrative Tools; 6. Right click on the parent node, NPS (Local) and click Register server in Active Directory Click OK on the two informational popups; 7. With the NPS (Local) node still selected, choose RADIUS server for 802.1X Wireless or Wired Connections and then click on the Configure 802.1X button; 8. Under Type of 802.1X connections, select Secure Wireless Connections and provide an appropriate name for the policies which will be created as part of this wizard; 9. In the next step, youll need to configure a RADIUS client (by the way, RADIUS stands for Remote Authentication Dial In User Service), so click on the Add button; 10. The RADIUS client will be your wireless access point, so for the friendly name type in something to identify the access point (for example, AP01), then provide the IP address or DNS entry for the access point; 11. Click on the Generate radio button, and then click on the Generate button to generate a shared secret Copy the shared secret to a notepad document, and click OK Note that on my particular access point, a character limit of 22 characters exists for shared secrets so I had to cut the string down to the acceptable limit, so I would suggest checking for this limitation on your own hardware; 12. Click Next, and then choose Microsoft: Protected EAP (PEAP) and then click on the Configure button (if you get an error message, you probably didnt follow steps 1 -> 4 correctly); 13. Ensure that the Certificate issued drop down box has the certificate you enrolled in step 4; 14. Click Next, and then click on the Add button to use an Active Directory group to secure your wireless (you should add both the machine accounts and user accounts to this group to allow the machine to authenticate on the wireless before the user logs in); 15. On the next step of the wizard, you can configure VLAN information, otherwise just accept defaults to complete; 16. Restart the Network Policy Server service. If you expand the Policies node now, youll see that the wizard has created a Connection Request Policy and a Network Policy containing the appropriate settings to authenticate your wireless connection These individual policies can obviously be created manually, but the wizard is an easier method. You can also remove the less secure authentication method options, and increase the encryption methods in the network policy if you wish (I have configured mine this way)

http://techblog.mirabito.net.au/?p=87

2/1/2012

Securing Wireless Networks with Windows Server 2008 and NPS Mat's Techblog

Page 3 of 12

1. Under the Network Policies node, bring up the properties of the newly created policy; 2. On the Constraints tab, uncheck all of the checkboxes under Less secure authentication methods; 3. On the Settings tab, click on Encryption and uncheck all boxes except Strongest encryption (MPPE 128-bit); 4. Save the policy and then restart the Network Policy Server service. With the NPS server configured to accept requests from your wireless access point, youll now need to configure the access point to communicate with the NPS servers These instructions are for my Linksys WAP54G, but will be similar to most access points which support RADIUS 1. In the web interface for the access point, click on the Wireless tab and assign an appropriate SSID; 2. Click on the Security sub-tab, and set the Security Mode to WPA-Enterprise (if your access point supports WPA2-Enterprise, use this instead); 3. Set the Encryption to AES, and then provide the NPS server IP as the RADIUS Server and the Shared Secret that you saved in step 11 above; 4. Save your settings and restart the access point. Now your access point should be configured to talk to your NPS server, so all that is left is to configure your clients to connect The recommended way of doing this, would be to use Group Policy, but the instructions below are for configuring a Windows Vista client You can easily replicate these actions in a Group Policy under the Security node. To configure a Windows Vista client which is joined to the domain 1. Open up the Network and Sharing Center; 2. Click on Connect to a network; 3. Locate the network you have just secured (it should say Security-enabled network next to it) and click the Connect button; 4. It will take a short while to set up the profile and then connect successfully. You can also configure a few extra settings to speed up the time it takes to connect (it wont improve the overall speed, only the time it takes to initially connect to the wireless network) 1. In the Network and Sharing Center, click on Manage wireless networks and then double click the network you set up above; 2. Click the Security tab, and then the Settings button below; 3. The Validate server certificate checkbox should already be selected by default, but you should also select the CA that you set up earlier under the Trusted Root Certification Authorities to speed up the certificate verification process; 4. You can also check the box Do not prompt user to authorize new servers or trusted certification authorities in order to improve the users experience. Some suggestions recommendations Use a security group with the appropriate machine and user accounts as members to secure your network; Group Policy is by far the best way to deploy the client side settings, but will obviously require an established domain connection in order to push these settings down to the clients; While disabling the SSID of your access point sounds like an increased security measure, it can be a security risk if you are configuring your workstations to actively look for the SSID name

http://techblog.mirabito.net.au/?p=87

2/1/2012

Securing Wireless Networks with Windows Server 2008 and NPS Mat's Techblog

Page 4 of 12

Potential session hijackers could intercept this traffic and set up an SSID for the requested name, unknowingly to the user which would then connect to a potentially malicious network; You can vary the encryption type from AES to TKIP if your devices dont all support AES, although AES is the preferred encryption algorithm; If youre having trouble with your connection, there are a few places you can look to troubleshoot, namely Local client event logs, the NPS log file which lives in C:WindowsSystem32logfiles and most importantly the Security event logs of the NPS server which contains detailed information about access successes and failures. Free Qualys Network Scan
Accurate, fast detection of network vulnerabilities. Free IP Scan!
www.qualys.com

Tags: 802.1, 802.1x, active directory certificate services, active directory domain services, ad cs, ad ds, aes, ca, certification authority, domain wireless, enterprise, ias, intenet authentication services, linksys, network policy and access services, network policy server, nps, peap, protect wireless, protected eap, protected wireless, radius, secret, secure, security, security-enabled network, shared secret, tkip, validate server certificate, wap54g, wireless, wpa, wpa-enterprise, wpa2
This entry was posted on Friday, December 26th, 2008 at 6:30 PM and is filed under Network, Windows. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

34 Responses to Securing Wireless Networks with Windows Server 2008 and NPS
1. Ray says: January 20, 2009 at 11:41 AM Nice guide! I had a new 2k8 server running AD that I applied your guide too. I listed the few things I had to do below before it would work. I wanted to help anyone else who might run into the same thing. I used the link below and had to modify the things in red to be able to generate a computer certificate. Before it said I did not have the authority to create a computer certificate. http://technet.microsoft.com/en-us/library/cc774602.aspx 1. Click Start, point to Administrative Tools, and click Active Directory Sites and Services. 2. On the View menu, click Show Services Node. 3. Double-click Services, double-click Public Key Services, click Certificate Service, and double-click Machine Properties. 4. On the Security tab, confirm that the Cert Publishers group has Read and Write permissions. 5. Right-click Domain Users, and click Properties. 6. On the Security tab, confirm that the Cert Publishers group has Read and Write permissions. I also installed the IIS component to get certificates over the web. I was able to get the certificate okay. But then the clients could not connect, with an error in the security log stating Authentication Details: Proxy Policy Name: Use Windows authentication for all users Network Policy Name: Secure Wireless Connections

http://techblog.mirabito.net.au/?p=87

2/1/2012

Securing Wireless Networks with Windows Server 2008 and NPS Mat's Techblog

Page 5 of 12

Authentication Provider: Windows Authentication Server: Server.domain.local Authentication Type: EAP EAP Type: Account Session Identifier: Reason Code: 22 Reason: The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server. To fix that I opened NPS and Opened Policies Then Network Policies Open Connections to the other access servers On the Contraints tab add Microsoft: Smart Card or Other Certificate I also followed the advice of your article and disabled the less secure connection methods and encryption types. Then the clients could connect perfectly! 2. Ray says: January 20, 2009 at 11:43 AM Almost forgot open NPS and Policies * Then Network Policies Open Connections to the other access servers Open it and grant access! 3. Sergio Luiz says: April 26, 2009 at 8:47 AM Hello! Thank you for your article, helped me to setup my Radius on a WRT600N, using DD-WRT. But i have a question. My company receives guests and sometimes, they need to access the internet. Using Radius, how can i do that, without the need to these guests enter in my AD Domain ? Thanks!! 4. Mat Mirabito says: April 26, 2009 at 10:12 AM Hi Sergio, There are a few ways you can do this. My recommended method involves m0n0wall of pfSense to set up a captive portal. This way you will maintain two wireless access points (either two physical, or two virtual access points depending on what your wireless hardware supports) and leave one unsecured. You can then configure m0n0wall or pfSense to provide a captive portal on this interface which will redirect all users accessing the wireless to a web page where they will need to log in (like a wireless hotspot at a cafe, for example).

http://techblog.mirabito.net.au/?p=87

2/1/2012

Securing Wireless Networks with Windows Server 2008 and NPS Mat's Techblog

Page 6 of 12

I have been in the process of writing an article detailing this, but havent had the chance to finish it yet. If you Google it there should be a bit of information on it. The second, and easiest method is just to alter the policy on your NPS server to relax the restrictions. 5. Wireless network says: May 7, 2009 at 8:04 AM Nice article you guide it very well I use this features on my pc and it work easily.. Thanks for posting this article. Its very helpful for me 6. en6inzey6eko6lu says: May 15, 2009 at 9:41 AM what can i do for the creating the computer cert. it says \you dont have permission\ i follow the rays topic but when i click to public key services, there is nothing like his topic to click or change security settings about it. can you help me about it? p.s : i have only one server for everything. yours is just about the nps. ty 7. en6inzey6eko6lu says: May 15, 2009 at 10:20 AM and my ap is ap-301(airties) when configuring radius,i slect wpa-inter and radius ip , port,etc.. i cant select aes,(no option for selecting aes or tkip) if i can create the computer cert. and follow your topic , can it work with this ap? ty 8. Michel Tan says: May 17, 2009 at 3:44 PM Did you ever got this to work with Cisco Aironet 1200. I am having problems. Any help would be appreciated. 9. Nik Timmermans says: July 21, 2009 at 11:00 PM Thanks a lot for this guide. I was playing around with NPS and couldnt get it to work, apparently my certificates werent working well. Can confirm if it works when Im back home, thanks again! 10. Jeff says:

http://techblog.mirabito.net.au/?p=87

2/1/2012

Securing Wireless Networks with Windows Server 2008 and NPS Mat's Techblog

Page 7 of 12

August 4, 2009 at 1:07 AM Mat or Ray, Im trying to follow your directions and get stuck at the point Im creating the Computer Cert. I have the problem that Ray refers to in his first post; however, when I go to Active Directory Sites and Services; Show Services Node; Services and then Public Key Services, I do not see the Certificate Service option. The options that I do see under Public Key Services are AIA, CDP, Cert Templates, Cert Authorities, Enrollment Services, KRA & OID. Does anyone know what I am doing wrong? Im a Cisco guy and not Microsoft. Jeff 11. Colby Stirland says: February 6, 2010 at 5:06 AM Thanks for the write up. Wanted to post some things I found just incase it helps others. *My NPS server was also the Domain Controller, when I created the certificate I couldnt create a computer certificate, I had to do another domain controller certificate, but it work for this. (good becuase I couldnt find the folders under public key services in AD Sites and services like others). *I had to move the newly created network policy, to the top priority in order for things to work. 12. Sang says: February 10, 2010 at 2:03 AM Im trying to follow your directions and get stuck at the point Im creating the Computer Cert. When I go to Active Directory Sites and Services; Show Services Node; Services and then Public Key Services, I do not see the Certificate Service option. The options that I do see under Public Key Services are AIA, CDP, Cert Templates, Cert Authorities, Enrollment Services, KRA & OID. Does anyone know what I am missing? Any help would be appreciated 13. Matthew says: February 27, 2010 at 2:42 PM I have set this up, and it works perfect for users computers that are already part of the domain, however, when a non-domain computer attempts to connect, it asks for the username and password, then fails? Server reports NAP error code 16. Any thoughts? Thanks! 14. Devang Patel says: March 18, 2010 at 5:05 PM I have set this up, and it works perfect for users computers that are already part of the domain, however, when a non-domain computer attempts to connect, it asks for the username and password, then fails? Server reports NAP error code 16. Any thoughts? Thanks! Any Procedure for working in Non Domain Computer using NPS for Wireless.

http://techblog.mirabito.net.au/?p=87

2/1/2012

Securing Wireless Networks with Windows Server 2008 and NPS Mat's Techblog

Page 8 of 12

15. Server 2008 AD as Radius Server for Wireless Clients in the Enterprise | Network San Antonio says: July 22, 2010 at 5:09 AM [...] So, configuring Server 2008 Server as a Radius Server for Wireless clients has changed considerably. I stumbled across a great blog posting on how to configure radius authentication against AD in Server 2008 here. [...] 16. TK says: September 11, 2010 at 8:51 AM @Devang Patel Try unchecking the \Valid server certificate\ checkbox and try connecting again. 17. CypherBit says: November 9, 2010 at 6:45 AM Nice guide, one which Ill probably need to use in an upcoming setup. Were currently using RAIDUS on a Windows 2k3 box and have two networks (different VLANs and all), one for internal users (they get the settings through GPO and certificates are used, much like in this guide) and another one for our guests. The problem is that our guest network always prompts for a username and password and theres no way for the client (be it a regular PC or even more often a phone) to remember it, typing both in each and everytime a user check their e-mail is annoying. How could I configure our guest network to authenticate to a RADIUS running on our new Windows 2k8 R2 box, so that security is as high as possible (keep in mind phones wont be domain joined machines) and get away with the current constant prompts for username, password. 18. CypherBit says: November 20, 2010 at 1:37 AM Can anyone help me out with the above? 19. network policy + WPA enterprise (tkip) Windows 2008 R2 says: November 20, 2010 at 9:29 PM [...] hi Ive attempted the following guide and in a bit of a pickle. http://techblog.mirabito.net.au/?p=87 [...] 20. Setting up Wireless 802.1x with Windows Server 2008 and NPS Blog Archive JADOTA Just Another Day Of The Admin! says: November 25, 2010 at 11:24 PM [...] 72 hours later Frustration is getting the better of me. I have installed RADIUS Test Clients to see if authentication is working as expected (and it did), IAS Log Viewer from

http://techblog.mirabito.net.au/?p=87

2/1/2012

Securing Wireless Networks with Windows Server 2008 and NPS Mat's Techblog

Page 9 of 12

Deepsoft was used to debug the NPS logs Until i found this article on Mats Techblog Securing Wireless Networks with Windows Server 2008 and NPS. [...] 21. Getting Certificates working with NAP My Blog, My Precious. says: November 27, 2010 at 5:06 AM [...] [...] 22. Tweets that mention Securing Wireless Networks with Windows Server 2008 and NPS Mats Techblog -- Topsy.com says: February 14, 2011 at 2:38 AM [...] This post was mentioned on Twitter by cinnamon carter, alex knorr. alex knorr said: Securing Wireless Networks with Windows Server 2008 and NPS & Mat's Techblog http://su.pr/2N7LDH [...] 23. yoyomeg says: April 18, 2011 at 10:50 PM Hello, i have a windows 2008 but in my configuration i shouldnt use certificates. I am having on logs messages ,error The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server. on security tab and error Negociation failed, EAP methods are not available on the application tab Do you have an idea please? 24. aicram says: May 26, 2011 at 10:01 PM to yoyomeg- even if you do not use certificates, for peap you have to have a server certificate (just the server- and the cryptographic security provider should do schannel). For that you should install the role ad cs (with the web erollement) it works also for stand alone cas, for not enterprise editions). by the way, check also the event logs from windows, like systems and applications (not just the nps event logs). (I am talking about 2008r2- but it is probably the same to 2008) 25. Tim says: July 6, 2011 at 3:39 AM Great post! I had a new radius server and CA accepting clients in under 1 hour. Thanks. 26. Oliver says: July 6, 2011 at 6:22 AM Very Nice POST !!! Thanks ! This helped me resolve my problem !!! Oliver

http://techblog.mirabito.net.au/?p=87

2/1/2012

Securing Wireless Networks with Windows Server 2008 and NPS Mat's Techblog

Page 10 of 12

27.

Jason0352 says: July 9, 2011 at 12:10 AM Awesome write up, but I cant seem to get Win7 hosts to authenticate successfully. OSX and iPhones can accept the cert and connect with no problem though. Getting an error in event viewer of The Certificate chain was issued by an authority that is not trusted. Ive been researching that error with no solution yet. Any help would be awesome by someone with experience with Server 2008 RADIUS.

28.

Pat Jensen says: August 3, 2011 at 4:56 PM Thanks Mat for the blog post, I had 802.1x working on my Cisco Aironets in the lab in about 25 minutes. Good stuff!

29.

Toleukhan says: September 5, 2011 at 10:24 PM Authentication Type: EAP EAP Type: Account Session Identifier: Reason Code: 22 Reason: The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server. This message if something wrong with your Certificate Authority server

30.

Joel says: September 11, 2011 at 3:59 AM Easy to follow, got it setup in about 10 minutes.. Then have spent the past two days trying to figure out why I cant get it to work. I get a these debug errors: 1. dot11_auth_dot1x_parse_aaa_resp: Received server response: FAIL 2. failed: by EAP authentication server 3. (SERVER_WAIT,SERVER_FAIL) My AP is a Cisco AIR-AP1142N-A-K9. If anyone has an idea please let me know. On a side note I did get our cisco gear (routers/switches) to authenticate via Radius on this same 2008 R2 server. Just stuck on the wireless. P.S. I disabled all in NPS I created for the routers/switches, just in case anyone is thinking that is interfering with the wireless.

http://techblog.mirabito.net.au/?p=87

2/1/2012

Securing Wireless Networks with Windows Server 2008 and NPS Mat's Techblog

Page 11 of 12

31.

Shan says: September 27, 2011 at 11:17 PM Helped! Thx a lot! Greetings Shan

32.

Alex Karnafel says: October 7, 2011 at 3:36 PM Cannot Authenticate using Windows 7. Looking at logs its doing something. Im using dd-wrt software for AES Authentication. Creating certs with no problems. Everything follow to the letter and cannot connect. Please Help. thanks,

33.

Alex Calhoun says: December 14, 2011 at 4:14 AM Has anyone tried this using CA on a 2003 box and NPS on a 2008 box? I cant request a new cert on the 2003 box, so Im not sure if this is a permissions issue or not. Thanks.

34.

Vince says: January 25, 2012 at 5:09 AM Thanks for the NPS Wireless Guide. Two things: Make sure you use the correct certificate. Do not install Routing and Remote Access along with NPS. Best, Vince

Leave a Reply
Name (required) Mail (will not be published) (required) Website

http://techblog.mirabito.net.au/?p=87

2/1/2012

Securing Wireless Networks with Windows Server 2008 and NPS Mat's Techblog

Page 12 of 12

Type the two words:

Submit Comment

Mat's Techblog is proudly powered by WordPress Entries (RSS) and Comments (RSS).

http://techblog.mirabito.net.au/?p=87

2/1/2012