2014年11月23日 星期日

使用 FreeRADIUS 與 LDAP 架設 WPA Enterprise 無線網路

http://electronic-blue.herokuapp.com/blog/2014/06/setting-up-wpa-enterprise-with-freeradius-and-ldap/

近來嘗試在公司架設 WPA-Enterprise 無線網路,並讓使用者利用 LDAP 帳號登入。由於過程高潮迭起,不做個筆記就太可惜了。

無線網路的加密與認證

與使用實體線路的有線網路不同,無線網路的傳遞介質是空氣,壞小孩只要在訊號傳輸範圍內放置天線,便可以輕易竊聽甚至偽造無線訊號。因此架設無線網路服務時,強制使用加密連線已經成為常識中的常識。
無線網路的加密方式又分為幾種,其中 WEP 已被證實有嚴重弱點,因此你不應該再使用它了。取而代之的是 WPA 與 WPA2,後者使用了較強的編碼演算法,在 2014 年的現在你應該把不支援 WPA2 的裝置送去回收。

WPA Personal / Enterprise

為了排除偷接網路的鄰居,WPA 只接受認證過的使用者連上無線網路,而這邊的認證方式又分成兩大類:Personal 與 Enterprise。其中最常用的是 Personal,又稱為 PSK (Pre-Shared Key),它的認證方式很簡單:只要使用者輸入一組共用的密碼就可以連上網路了。因為設定起來非常容易,因此在家庭、咖啡店或是沒有 MIS 的小公司中幾乎都使用 WPA-Personal 作為認證方式。
然而許多情況下,使用共用密碼是很危險的。比如說無線網路若連接到公司內部資源,那麼密碼洩露就很麻煩了,換密碼還會被使用者抱怨。因此 WPA-Enterprise 採用一種可擴充的協定,讓使用者可以用各種方式——包括帳號密碼、憑證甚至手機 sim 卡 ,來驗證自己的身份。

RADIUS

現在的無線網路 AP 都支援 WPA-Enterprise,但是它們本身並不會認證使用者。相反的,它們假設你的網路環境中有個伺服器會處理認證工作,而他們只是把使用者提供的資訊轉送給它,並詢問這個使用者是否能通過驗證,這個伺服器稱之為 RADIUS。使用 RADIUS 有個好處:當我們要架設多個 AP 時,就不需要在每個 AP 一一設定使用者帳號,只要叫它們都去詢問同一台 RADIUS 伺服器即可。
架設 RADIUS 伺服器並不難,已經有個 open source 軟體稱之為 FreeRADIUS 提供了完整的功能。在 Linux 上只要用 apt 或 yum 即可安裝。在接下來的範例中我們還希望 FreeRADIUS 能夠使用 LDAP 內的帳號密碼,因此也一併安裝 LDAP 模組:
1
# apt-get install freeradius freeradius-ldap

設定 FreeRADIUS

WPA-Enterprise 可以採用多種方式進行使用者認證,而我們希望使用者以 LDAP 帳號密碼來驗證,因此我們得採用 PEAP-MSCHAPv2。這是廣受各家 OS 支援的協定。
需要注意的是,依照 MSCHAPv2 的設計,LDAP 中必需存有密碼明碼或是 MD4 hash 才能對客戶端進行驗證。幸運的是我們的 LDAP 同時也對 SAMBA 提供帳戶資訊,而 sambaNtPassword 這個欄位正是密碼的 MD4 hash。如果你的 LDAP 資料庫中沒有 SAMBA 密碼,就得想辦法讓使用者更新密碼了。
首先編輯 /etc/freeradius/modules/ldap,前面幾項當然是照著 LDAP 伺服器的設定去改,其它部份照預設值就好。
1
2
3
4
5
6
ldap {
    server = "localhost"
    basedn = "ou=user,dc=yourcompany,dc=com"
    filter = "(uid=%u)"
    ...
}
接著是 /etc/freeradius/sites-enabled/default,編輯 authorize 與 authenticate 區段,分別留下以下的內容即可:
1
2
3
4
5
6
7
8
9
10
11
12
13
authorize {
    preprocess
    suffix
    eap {
        ok = return
    }
    expiration
    logintime
}

authenticate {
    eap
}
接著是 /etc/freeradius/sites-enabled/inner-tunnel,同樣編輯 authorize 與 authenticate 區段:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
authorize {
    mschap
    suffix
    update control {
        Proxy-To-Realm := LOCAL
    }
    eap {
        ok = return
    }
    ldap
    expiration
    logintime
}

authenticate {
    Auth-Type MS-CHAP {
        mschap
    }
    eap
}
接下來是 /etc/freeradius/clients.conf,在這邊把無線網路 AP 的 IP 列進去:
1
2
3
4
client 192.168.1.254 {
    secret = PASSWORD
    shortname = Wireless-AP
}
其中的 PASSWORD 是共用密碼,只有知道這組密碼的 AP 才能存取我們的 RADIUS 伺服器。這樣我們就能設定 AP 了:
在 AP 的設定中選擇以 WPA Enterprise 進行驗證,並且填入 RADIUS 伺服器的資訊後,用戶端就可以用 LDAP 帳號登入無線網路了。

用戶端設定方式

大部份的用戶端軟體會聰明地從 RADIUS 伺服器提供的資訊選擇使用 PEAP-MSCHAPv2 進行驗證,因此只要輸入帳號密碼就能開始使用無線網路,但有些作業系統則需要額外的設定。

Android

Android 不會自動選擇 EAP 認證方式,因此需要手動選擇 EAP 方法為 PEAP、階段 2 認證為 MSCHAPv2,才會出現帳號密碼欄位。(「匿名識別」只要留白即可)

Windows

相較於其它作業系統,Windows 在 WPA-Enterprise 上的設定顯得非常麻煩。在 PEAP 建立 TLS 通道的時候,Windows 就會試圖驗證 RADIUS 伺服器的憑證,而驗證失敗的時候卻完全不會有任何可供參考的錯誤訊息。由於我還沒有成功做出一份可以驗證通過的憑證(即使我在用戶端上安裝了自己的 root CA),因此只好跳過憑證檢查,以下是設定方法:
  1. 打開控制台的「網路與共用中心」,按下「設定新的連線或網路」,並選擇「手動連線到無線網路」。
  2. 輸入無線 AP 的 SSID,安全性選擇「WPA2-Enterprise」。
  3. 按下下一步後,選擇「變更連線設定」。
  4. 選擇「安全性」分頁,確定網路驗證方法是「Microsoft: Protected EAP (PEAP)」,並按下旁邊的「設定」。
  5. 關閉「透過驗證憑證來確認伺服器身份識別」,並確認下面的驗證方式是「Secured password (EAP-MSCHAP v2)」。
  6. 回到上一層後,按下「進階設定」,在「802.1X 設定」中勾選「指定驗證模式」,並選擇「使用者驗證」。
完成以上步驟後,就可以使用帳號密碼來登入無線網路了。然而這些步驟實際做起來相當複雜,對一般使用者來說很不友善,因此我們可以用 netsh 匯出設定檔:
1
C:\> netsh wlan export profile WIRELESS-SSID
這個指令會把指定的 SSID 設定內容寫進 XML 檔案中,而在其它電腦上只需要用以下指令就可以匯入這些設定:
1
C:\> netsh wlan add profile filename=WIRELESS-SSID.xml

參考資料

2014年11月21日 星期五

Android 匯入 CA 憑證的方法

http://networklessons.com/wireless/peap-and-eap-tls-on-server-2008-and-cisco-wlc/#Configure-Wireless-Client

PEAP and EAP-TLS on Server 2008 and Cisco WLC

Content Table

Introduction

To make wireless networks really secure you should use a RADIUS server to authenticate your users instead of using a pre-shared key. The RADIUS server will handle the authentication requests and uses EAP (Extensible Authentication Protocol) to communicate with users. There are many EAP types and the most popular ones are:
  • PEAP (Protected EAP)
  • EAP-TLS
PEAP is normally used to authenticate users by using a username and password. The RADIUS server will show a certificate to the users so that they can verify that they are talking to the correct RADIUS server. EAP-TLS is the most secure form of wireless authentication because it replaces the client username/password with a client certificate.
This tutorial will walk you through the installation and configuration of Windows Server 2008 using NPS (Network Policy Server) as the RADIUS server for a Cisco wireless LAN controller. We will configure the server so that it supports PEAP using MS-CHAPv2 for password authentication but we’ll also look at EAP-TLS which can be used to authenticate clients using certificates that we will generate on the server. In this tutorial we will configure the following components on the server:
  • Active Directory
  • DNS
  • Certificate Services
  • IIS
  • NPS
Active Directory (AD) is where we store all the user accounts, it’s the central database that we use for authentication. Whenever you install an AD you also require a DNS server. Certificate services will be used to install the server as a root CA so that we can generate a computer certificate that will be presented to wireless clients and to generate the client certificates for EAP-TLS.
IIS is the web server and we will use it so that EAP-TLS clients can easily request a certificate with their web browser for their wireless connection. Last but not least, NPS is the RADIUS server and that’s where we will configure some wireless policies.
I realized that many network engineers are comfortable configuring switches and wireless equipment but might be new to Windows Server 2008. This “how to” was written so anyone without “Windows Server” experience should be able to get the job done.
This is the topology that I will use for this example:
Server 2008 EAP Demo Topology
A fairly simple topology with a single switch that connects the server, WLC and access point together. I’m using a Cisco wireless LAN controller to demonstrate this but the configuration will be the same for any other wireless LAN controller or access point. The configuration for Windows Server 2008 will be the same. There’s plenty of work so let’s get started!

>Basic Network Configuration

Before we start with the installation of Active Directory we’ll fix some basics like setting the correct computer name and IP address.

Computer Name

Click Start > Computer (right mouse click) > Properties.
windows server 2008 computer properties
Click on Change Settings.
Windows Server 2008 System
Click the Change button.
Windows Server 2008 System Properties
Here’s where you will enter the computer name. I’ll use “AD” (Active Directory). You don’t have to change the workgroup name as we’ll turn this computer into a domain controller in a minute. Make your changes and click on OK.
Windows Server 2008 Computer Name
Once you change the computer name you will have to reboot before the changes will occur. Once your server is rebooted you’ll have to change the IP address.

IP address

Make sure you don’t configure any DNS servers as this server will become a DNS server. You don’t have to configure a default gateway but if you have a router that leads to the outside world you can enter it here:
Windows Server 2008 Change IP Address
Once you have configured your computer name and IP address we can continue with the installation of Active Directory.

Installing Active Directory

Active Directory is where we store all the usernames in a central database. To install it we need to add a new role to the server.
Click on Start > Administrative Tools > Server Manager.
Windows Server 2008 Start Menu Server Manager
Click on Roles > Add Roles.
Windows Server 2008 Server Manager Roles
You will be presented with the following wizard. Click on Next.
Windows Server 2008 Add Roles Wizard
Select Active Directory Domain Services and click on Next.
Windows Server 2008 Add Roles Wizard
You will get a notification about adding the .NET Framework feature. Click on Add Requires Features.
Windows Server 2008 AD Features Requested
Click Next to continue.
Windows Server 2008 Add Roles Wizard AD Selected
You will see an introduction about Active Directory Domain Services. Click Next to continue.
windows-server-2008-active-directory-install
Click Next to confirm the installation options.
windows-server-2008-active-directory-install-confirm
You will see the following screen that indicates the installation progress:
windows-server-2008-active-directory-installation-progress
Once the installation is done you might receive a warning about Windows automatic updating. If this is a production server, make a mental note to enable windows updates in the future. Click on Close to continue.
windows-server-2008-active-directory-installation-results
Once Active Directory Domain Services is installed we can create a new domain. Click on the start button and type “dcpromo” (without the quotes):
windows-server-2008-dcpromo
You will see a welcome screen, leave “use advanced mode installation” unchecked and click on Next.
windows-server-2008-ad-domain-services-installation-wizard
You will be presented with some information about operating system compatibility. Click Next to continue.
windows-server-2008-ad-domain-services-compatibility
We will create a new forest with a new domain. Select the second option and click on Next.
windows-server-2008-ad-domain-services-new-domain
The FQDN (Fully Qualified Domain Name) of my forest root domain will be “NETWORKLESSONS.LOCAL”. Click Next to continue.
windows-server-2008-ad-domain-services-FQDN
We will have to select the Forest Functional Level. If you only use Server 2008 R2 or later versions then you can select the “Windows Server 2008 R2″ functional level. If you plan to use older versions of Windows Server then you should use a “lower” functional level. I don’t plan to add any other servers to this network so I’ll select “Windows Server 2008 R2″ and click on Next.
windows-server-2008-forest-functional-level-2008R2
Select “DNS server” and click on Next.
windows-server-2008-ad-domain-services-dns
You will receive a notification that the server is unable to create a DNS entry. This is OK because the DNS server isn’t installed yet. Click on Yes to continue.
windows-server-2008-ad-domain-services-dns-delegation
The default folder structure is fine, click on Next to continue.
windows-server-2008-ad-domain-services-folders
A separate password is used in case you need to restore your Active Directory. I recommend to use a different password than the administrator password for this. Click on Next to continue.
windows-server-2008-ad-domain-services-restore-password
You will receive a summary, click on Next to continue.
windows-server-2008-ad-domain-services-summary
It will take a couple of minutes to install everything, you will see this progress screen:
windows-server-2008-ad-domain-services-progress
Click on Finish to continue.
windows-server-2008-ad-domain-services-completion
The server will ask you to restart, Click on Restart Now.
windows-server-2008-ad-domain-services-restart
Once your server is restarted you will have a working Active Directory and DNS server. The next step will be to install the certificate server.

 Installing Certificate Server

When PEAP wireless clients try to connect to the network, the RADIUS server will present a computer certificate to the user to authenticate itself. It’s up to the client to accept only valid certificates and this will help to prevent spoofing attacks where an attacker might run a fake RADIUS server. EAP-TLS will also use require the computer certificate from the RADIUS server but we’ll also require a client certificate for each user that wants to connect to the wireless network.
In order to do this we will configure our server to become a root CA (Certificate Authority). This allows us to generate a computer certificate and also to generate client certificates.
Click on Start > Administrative Tools > Server Manager.
Windows Server 2008 Start Menu Server Manager
Click on Roles > Add Roles.
Windows Server 2008 Server Manager Roles
Click on Next to continue.
Windows Server 2008 Add Roles Wizard
Select Active Directory Certificate Services and click on Next.
windows-server-2008-add-roles-ad-certificate-services
You will see an introduction to Active Directory Certificate Services. Click on Next to continue.
windows-server-2008-introduction-to-certificate-services
Select Certification Authority. If you want to use EAP-TLS then you should also select Certification Authority Web Enrollment. This will allow us to request client certificates through the web browser which is very convenient.
windows-server-2008-add-roles-certification-authority
Once you select Certification Authority Web Enrollment you will receive a notification that we need to install IIS (Web Server). Click on Add Required Role Services to continue.
windows-server-2008-add-roles-ad-certificate-services-features
Make sure both services are selected and click on Next to continue.
windows-server-2008-add-roles-ca-web-enrollment
The certificate server can be part of the domain and use active directory or run as stand-alone. We want it to use the active directory so select Enterprise and click on Next.
windows-server-2008-ca-type
You can specify if you want this server to be a new Root CA or if you want it to be a Subordinate CA. Select Root CA and click on Next to continue.
windows-server-2008-root-ca
Select Create a new private key and click on Next.
windows-server-2008-new-private-key
The default cryptography parameters are fine, click Next to continue.
windows-server-2008-ca-cryptography
The default CA name is also fine, it will use the computer name and domain name for this. Click on Next to continue.
windows-server-2008-ca-name
The default validity period for the root CA certificate is 5 years. Click Next to continue.
windows-server-2008-ca-validity-period
Click Next to continue.
windows-server-2008-ca-database-location
If you selected the web enrollment option you will see the installation wizard for IIS. You can read the introduction if you like or click on Next to continue.
windows-server-2008-IIS-installation
The default role services are fine, click Next to continue.
windows-server-2008-IIS-role-services
In the confirmation screen you will be warned that you can’t make any changes to the computer name or domain name once you installed the certificate services. Click Install to continue.
windows-server-2008-CA-IIS-confirmation
You will see the following Installation Progress, grab a quick drink…
windows-server-2008-CA-IIS-progress
Once the installation is done you will see another notification that you should enable Windows updates. Click on Close.
windows-server-2008-CA-IIS-installation-results
Right now you have a working Certificate Authority and IIS is running to serve web requests. If you plan to use EAP-TLS we need to enable HTTPS support for IIS, by default it is disabled. If you only want to use PEAP then you can skip this step. Click on Start > Administrative Tools > Internet Information Services (IIS) Manager.
windows-server-2008-iis-start-menu
Click on AD (server name) > Sites > Default Web Site and select Bindings on the right side of the screen.
windows-server-2008-iis-manager
Click on Add.
windows-server-2008-iis-site-bindings
Select https in the Type dropdown box and make sure the SSL certificate has been selected. Click on OK to continue.
windows-server-2008-iis-site-binding-https
This concludes the installation of the certificate server and IIS. We can now move onto the configuration of the RADIUS server.

Installing Network Policy Server

Network Policy Server (NPS) is the RADIUS server that you can find on Windows Server 2008. It has a lot of features and is pretty easy to configure. First we will have to install it.
Click on Start > Administrative Tools > Server Manager.
Windows Server 2008 Start Menu Server Manager
Click on Roles > Add Roles.
Windows Server 2008 Server Manager Roles
Click Next to continue.
Windows Server 2008 Add Roles Wizard
Select Network Policy and Access Services and click Next to continue.
windows-server-2008-server-roles-network-policy-server
Make sure Network Policy Server is selected and click on Next to continue.
windows-server-nps-role-services
You will see the confirmation screen, click Next to continue.
windows-server-nps-confirmation
You’ll see the installation progress…
windows-server-nps-progress
And you’ll see the installation results…
windows-server-2008-nps-installation-results
Click on Close.
The Network Policy server is now installed. In the next part we’ll install a computer certificate that we can use to authenticate the RADIUS server to the wireless clients.

Create RADIUS Computer Certificate

With NPS up and running we are ready to create user and computer certificates. The RADIUS server will have to present a certificate to the wireless users so that they can verify if they are talking to the correct RADIUS server. Let me show you how to check if you have a computer certificate and otherwise how to generate one.
Click on Start and type “mmc” (without the quotes), press enter.
windows-server-2008-mmc
Click on File > Add/Remove Snap-in.
windows-server-2008-mmc-add-remove-snap-in
Select Certificates from Available snap-ins and click on Add.
windows-server-2008-mmc-snap-ins
Select Computer account and click on Next.
windows-server-2008-mmc-snap-in-computer-account
Select Local computer and click on Finish.
windows-server-select-computer
At the right side you can see that he computer certificates are now selected. Click on OK.
windows-server-2008-mmc-selected-snap-ins
Click on Personal > Certificates to see all computer certificates. If everything went OK you should see a certificate that says “Intended Purposes” with Client and Server Authentication.
If you installed NPS on a separate Windows Server 2008 installation, you won’t see a computer certificate here and you’ll have to generate one as well.
windows-server-2008-mmc-computer-certificate
If there’s no certificate, we’ll create a new one. Right mouse click on the white space and select Request New Certificate.
windows-server-2008-request-new-certificate
You will see the following screen, click Next to continue.
windows-server-2008-certificate-enrollment
Select Active Directory Enrollment Policy and click Next to continue.
windows-server-2008-select-certificate-enrollment-policy
Click on Finish.
windows-server-2008-certificate-installation-results
You’ll be back at the MMC and you’ll see the installed certificate. Make sure you see that it can be used for client and server authentication before you continue.
windows-server-2008-mmc-computer-certificate
Your server now has a certificate that can be presented to wireless clients when they request the identify of the RADIUS server. Now we can configure a wireless policy…

 Configure Network Policy for EAP Authentication

Network Policy Server is running but we’ll still have to create a policy for our wireless users.
Click on Start > Administrative Tools > Network Policy Server.
windows-server-2008-network-policy-server-start-menu
Do a right mouse click on NPS > Register server in Active Directory.
windows-server-2008-register-nps-in-ad
You’ll be presented the following screen, click OK to continue.
windows-server-2008-nps-dial-in-properties
And a notification that is has been registered, click OK to continue.
windows-server-2008-nps-authorized

Add Cisco WLC as RADIUS Client

Now we can add a RADIUS client. Don’t confuse the RADIUS client with the wireless clients. We are talking about the wireless LAN controller here. Select NPS > RADIUS Clients and Servers > RADIUS Clients (right mouse click) and click on New.
windows-server-2008-new-radius-client
Enter a friendly name (can be everything but I suggest to use the hostname of the WLC) and the IP address of the WLC. Enter a password in the Shared secret field. We’ll need this once we configure the wireless LAN controller.
Click on OK to continue.
windows-server-2008-nps-radius-client
You’ll be back at the main screen and you will see that the RADIUS client has been added.
windows-server-2008-nps-radius-clients

Create Wireless Policy

Now we can create a network policy. Click on Policies > Network Policies (right mouse click) and click on New.
windows-server-2008-nps-new-network-policy
Give the policy a name, I’ll call it “Wireless”. Leave the type of network access server as Unspecified.
Click Next to continue.
windows-server-2008-nps-policy-name
Now we can specify some conditions. I’ve set the following conditions:
  • Windows Groups: NETWORKLESSONS\Domain Users. By default all users in our Active Directory our member of the domain users group. If you only want certain users to be able to connect to the wireless network then it’s better to create a new domain group for this.
  • NAS Port Type: Wireless – IEEE 802.11. This ensures that the network policy only applies to wireless users.
  • Authentication Type: EAP
Click on Next to continue.
windows-server-2008-nps-policy-wireless-conditions
Select Access granted and click on Next.
windows-server-2008-nps-access-permissions
De-select all options in the following screen. We only want to allow PEAP and/or EAP-TLS.

Wireless Policy – PEAP Authentication

First we will add PEAP authentication to our wireless policy. Click on Add.
windows-server-2008-nps-authentication-methods
Here you can select the authentication types that you want. I’ll start with PEAP. Click on Microsoft: Protected EAP (PEAP) and click on OK.
windows-server-2008-nps-add-eap
You will see it in the overview. Select Microsoft: Protected EAP (PEAP) and click on Edit.
windows-server-2008-nps-peap-edit
Make sure you have selected the correct certificate. This is the computer certificate that will be presented to wireless users when they connect using PEAP. It allows our wireless clients to confirm the identity of the RADIUS server.
Click OK to continue.
windows-server-2008-nps-eap-properties

Wireless Policy – EAP-TLS Authentication

I’m also going to add support for EAP-TLS. Click Add and select Microsoft: Smart Card or other certificate.
Click OK to continue.
windows-server-2008-nps-add-eap-tls
Select Microsoft: Smart Card or other certificate and click on Edit.
windows-server-2008-nps-eap-tls-properties
Make sure the correct computer certificate has been selected and click on OK.
windows-server-2008-nps-eap-tls-certificate
You will now see both EAP types in the list.
Click Next to continue.
windows-server-2008-nps-peap-and-eap-tls
You will see an option to configure constraints, you can use these if you want to restrict access to the wireless network…for example you can set a day and time restriction. If you want to do this, it’s best to leave it alone for now and first make sure that everything is working.
Click Next to continue.
windows-server-2008-nps-constraints
Click Next to continue.
windows-server-2008-nps-network-policy
And click on Finish to complete the configuration of our wireless policy.
windows-server-2008-nps-completed-policy
NPS is running and we have successfully created a policy for wireless users.

Add Wireless User to Active Directory

The wireless policy that we created in NPS allows all users in the “domain users” group to access the wireless network but we still have to create a user account.
Click on Start > Administrative Tools > Active Directory Users and Computers.
windows-server-2008-start-menu-active-directory
Select Active Directory Users and Computers > NETWORKLESSONS.LOCAL > Users and do a right mouse click on the white space on the right side. Select New > User.
windows-server-2008-ad-new-user
You will have to enter some details for the new user account. I’ll call my user “Wifi1″. Click on Next to continue.
windows-server-2008-ad-new-object-user
Enter a password and make sure the “User must change password at next logon” field is unchecked. Click Next to continue.
windows-server-2008-ad-user-password
Click on Finish to create the new user account.
windows-server-2008-ad-user-created
So far so good…Active Directory is up and running with a user account, our server is a root CA and has a computer certificate and we configured NPS for wireless users. Now we’ll have to configure the Cisco Wireless LAN controller to use the RADIUS server for authentication.

Configure Cisco Wireless LAN Controller to use Radius Authentication

Configuring a RADIUS server on the Cisco WLC isn’t difficult. First we’ll have to configure the RADIUS server and the next step is to configure a WLAN profile to use WPA(2)-enterprise mode.
Start your web browser and log into the WLC:
cisco-wlc-login-screen

Add RADIUS server

Select Security > RADIUS > Authentication.
cisco-wlc-security-radius
Click on New.
cisco-wlc-new-radius-server
Here you need to enter the IP address and the shared secret (password) that you created when you configured the RADIUS client in NPS.
Click Apply to continue.
cisco-wlc-radius-fields

Create WLAN for RADIUS Authentication

Now we can create a new WLAN and configure it to use WPA-enterprise mode so it will use RADIUS for authentication.
Select WLANs from the main menu, click on Create New and click on Go.
cisco-wlc-create-new-wlan
I will call the new WLAN “EAP”. Click Apply to continue.
cisco-wlc-new-wlan-settings
Select the General Tab and ensure Status is Enabled. The default security policy is 802.1X authentication and WPA2.
cisco-wlc-wlan-edit-general
Now select the Security > AAA Servers tab and select the RADIUS server that you just configured.
cisco-wlc-wlan-edit-security-aaa
That’s all you have to configure on the Wireless LAN Controller. It’s a good idea to verify that you can reach the RADIUS server from the WLC before you continue. RADIUS uses UDP port 1812 so make sure you don’t have any access-lists or firewalls blocking your traffic between the server and WLC.

Configure Wireless Client (Windows 7)

This is where the real fun starts…it’s time to configure a wireless client to connect to our wireless network. I will be using Windows 7 to demonstrate how to connect using PEAP and EAP-TLS.
If your Windows 7 computer is in workgroup mode (the default) then you will have to import the root CA from the windows 2008 server yourself otherwise you will get an error that the client doesn’t recognize the root CA. This is normal because we created a new root CA and generated a new certificate. When your computer has joined the domain then you can skip this step because it will automatically receive the root CA from the domain controller.
Let me show you how to import the root CA on your Windows 7 computer, if you joined the domain then you can skip this step…

Export root CA from Server

First we will have to export the root CA from the server. Normally you can find it in a shared folder on the server. Connect your client using a network cable and open the shared folder on the server:
\\10.82.2.50\CertEnroll
If you don’t have a network cable or you can’t access the shared folder then it’s also possible to export the root CA from the server ourselves. Go to the server and open MMC:
Click on Start > type “MMC” (without the quotes) and hit enter.
windows-server-2008-mmcSelect File > Add/Remove Snap-In.
windows-server-2008-mmc-add-remove-snap-in
Select Certificates from the available snap-ins and click on Add.
windows-server-2008-mmc-snap-ins
Select Computer account and click on Next.
windows-server-2008-mmc-snap-in-computer-account
When you see Certificates (Local Computer) on the right side you can click on OK.
windows-server-2008-mmc-selected-snap-ins
Select Certificates (Local Computer) > Trusted Root Certification Authorities > Certificates. On the right side you will your root CA. Select it, do a right mouse click and select All Tasks > Export.
windows-server-2008-export-root-ca
You will see the Certificate Export Wizard. Click Next to continue.
windows-server-2008-certificate-export-wizard
Don’t export the private key. Click Next to continue.
windows-server-2008-certificate-export-private-key
Select the DER encoded binary X.509 (CER) file format and click Next.
windows-server-2008-certificate-file-formats
Choose a folder and filename and select Next.
windows-server-2008-certificate-save-as
And click on Finish to complete the export.
windows-server-2008-certificate-export-completed
Copy the certificate that you just exported to a USB stick or something and move it to your Windows 7 computer.

Import Root CA to Windows 7

Double click on the certificate file that you just exported on your Windows 7 computer and you will see the following screen. Click on Install Certificate.
windows-7-certificate-install
Click Next to continue.
windows-7-certificate-import-wizard
Make sure the Trusted Root Certification Authorities store has been selected. If not click on the Browse button and select it. Click Next to continue.
windows-7-certificate-store
Click Finish to complete the certificate import wizard.
windows-7-certificate-import-completed
You might get a security warning that you are about to trust a new root certificate. Click Yes to continue.
windows-7-certificate-security-warning
We are almost done, we also have to add this certificate in the Windows registry or your computer will still not trust the root CA. If you want to know the exact reason you can look at KB 2518158 on the Microsoft Website.
Click on Start > type “cmd” (without the quotes) and hit CTRL+SHIFT+ENTER. This will open a command prompt with administrative rights.
C:\Users\vmware\Desktop>certutil -f -enterprise -addstore NTAuth AD.crt
NTAuth
Signature matches Public Key
Certificate "CN=NETWORKLESSONS-AD-CA, DC=NETWORKLESSONS, DC=LOCAL" added to store.
CertUtil: -addstore command completed successfully.
Your computer now trusts the root CA. We can now connect to the wireless network.

Configure Wireless Profile for PEAP

We’ll create a new profile to connect using PEAP.
Open Control Panel and select Manage wireless networks.
windows-7-control-panel-manage-wireless
Click on Add.
windows-7-manage-wireless-networks
Select “Manually create a network profile“.
windows-7-manually-create-network-profile
Enter the network name, select WPA-Enterprise or WPA2-Enterprise and click on Next.
windows-7-wireless-security-profile
Select Change connection settings.
windows-7-wireless-profile-created
Select the Security tab , choose Microsoft: Protected EAP (PEAP) and click on Settings.
windows-7-peap-settings
Select Validate server certificate. You should see the root CA that we imported here but you don’t have to select it. Your computer will trust all root CAs in this list by default when you connect to a wireless network.
Make sure the authentication method is Secured password (EAP-MSCHAP v2) and press the configure button.
windows-7-peap-properties
Uncheck the button that wants to automatically use the windows username/password for authentication. Click OK to continue.
windows-7-eap-mschapv2-properties
Click OK until you return at the EAP Wireless Network Properties and select Advanced Settings.
windows-7-eap-advanced-settings
Select specify authentication mode and choose for user authentication. Click OK to continue.
windows-7-eap-user-authentication
Keep clicking on OK until you are out of the wireless profile configuration, you are now ready to connect to the wireless network using PEAP. Look for the wireless icon in the taskbar, select the wireless network and click on Connect.
windows-7-available-wireless-networks

You will see a pop-up that asks for your credentials. Enter the username and password that you configured in Active Directory and click on OK.
windows-7-wifi-username
And you will see that you are now connected:
windows-7-wireless-connected
Congratulations! You just authenticated a user through PEAP. In the next part I’ll show you how to authenticate the user by using EAP-TLS and a client certificate.

Configure Wireless Profile for EAP-TLS

To authenticate a wireless user through EAP-TLS instead of PEAP we will have to generate a client certificate. Connect your Windows 7 computer to the network so that you can access the server, open a web browser and enter the following address:
https://<ip-of-server>/certsrv
You will see a pop-up that asks for credentials. Enter the username and password of the wireless user that requires a client certificate and click on OK.
windows-7-certsrv
Select Request a Certificate.
If you are using Internet Explorer 10 you might receive a warning that says “This Web browser does not support the generation of certificate requests.” . You need to enable IE10 compatibility mode to solve this problem.
windows-7-certsrv-request-certificate
Select User Certificate.
windows-7-user-certificate-request
Select Yes.
certsrv-web-access-confirmation
And click on Install this certificate.
certsrv-install-certificate
You will see a notification that the certificate has been installed.
certsrv-certificate-installed
Now we can change the wireless profile that we created earlier for PEAP to use EAP-TLS instead. Do a right mouse click on the EAP wireless profile and select Properties.
windows-7-manage-wireless-profile-peap
Select Microsoft: Smart Card or other certificate and click on OK.
windows-7-wireless-smart-card-certificate
Now try to connect again to the wireless network, select the correct profile and click on Connect.
windows-7-available-wireless-networks
And you will be connected to the wireless network!
windows-7-wireless-connected

Congratulations…you just connected using EAP-TLS!

Troubleshooting

If everything went OK then you now have a working wireless network that offers PEAP and EAP-TLS authentication. There are many components in this tutorial so troubleshooting might be difficult sometimes. Your best friend is the Windows event viewer on the server as it will give you all errors. It’s best to look for the security event log and to check for the network policy server notifications. These will give you a lot of information when you are unable to authenticate your wireless users. If you run into any issues, let me know and I’ll add the troubleshooting steps here.

Conclusion

I hope this tutorial has been helpful to you to install a Windows Server 2008 machine to act as the RADIUS server for your (Cisco) wireless network that offers EAP-TLS and/or PEAP authentication. If you have any additions or questions feel free to leave a comment and I’ll do my best to answer them. If you enjoyed this tutorial. please share it!


Read more: http://networklessons.com/wireless/peap-and-eap-tls-on-server-2008-and-cisco-wlc/#ixzz3Jh1whPGi