Setting up Wi-Fi Authentication in Windows Server 2008 (Part 2)

If you would like to read the next part of this article series please go to Setting up Wi-Fi Authentication in Windows Server 2008 (Part 1).

Introduction

In Part 1, we discovered why businesses must use the Enterprise mode of Wi-Fi Protected Access (WPA or WPA2), versus using the Personal (PSK) mode. We learned the 802.1X authentication of the Enterprise mode requires the use of a RADIUS server, which is included in Windows Server.

We already installed and configured the Certificate Services in Windows Server 2008. In this part, we’ll continue by installing and configuring the Network Policy and Access Services. Then we’ll setup the wireless controllers and/or access points (APs) with the encryption and RADIUS settings. Next we’ll configure the client computers. Then we’ll finally be able to connect.

Install the Network Policy and Access Services Role

In previous versions of Windows Server, RADIUS functionality was provided by the Internet Authenticate Service (IAS). Starting in Windows Server 2008, it’s provided by the Network Policy and Access Services. This includes the previous IAS services along with the new NAP feature.

On the Initial Configuration Tasks window, scroll down, and click Add roles. If you’ve closed or hidden that window, click Start> Server Manager, select Roles, and click Add Roles.

Select Network Policy and Access Services (see Figure 1), and click Next.

Figure 1: Choose to install the Network Policy and Access Services role

Review the introduction, and click Next.

Select the following (see Figure 2):

• Network Policy Server
• Routing and Remote Access Servers
• Remote Access Services
• Routing

Figure 2: Select to install the first four options

Click Next. Then click Install, wait for the installation to complete, and then click Close.

Now you can begin configuring NPS for the RADIUS functionality: click Start, type nps.msc, and hit Enter.

For the Standard Configuration option, select RADIUS server for 802.1X Wireless or Wired Connections(see Figure 3) from the drop-down menu.

Figure 3: Choose the RADIUS server for 802.1X

Click Configure 802.1X.

For the Type of 802.1X connections, select Secure Wireless Connections (see Figure 4), and click Next.

Figure 4: Select to secure wireless connections

For each wireless controller and/or access point, click Add to create a new RADIUS client entry. As Figure 5 shows, you’ll be specifying a friendly name, which should help you identify it from the others, the IP or DNS address, and a Shared Secret.

Figure 5: Input your wireless controller or access point details

These Shared Secrets are important to the authentication and encryption. Make them long and complex, like passwords. They should be unique to each controller/AP. Later, you’ll enter the same Shared Secrets into the corresponding controller/AP. Remember to keep them secret, store them safely.

For the Authentication Method, select Microsoft Protected EAP (PEAP) since we’re using PEAP.

Click the Configure… button, select the certificate you created earlier, and click OK.

On the Specify User Groups window (see Figure 6), click Add.

Figure 6: Add the user groups you want to be able to connect

On the Select Group dialogs, enter the groups or click Advanced to search for the available groups. If you haven’t created additional groups, you probably want to select Domain Users to allow users and Domain Computers for machine authentication if your controllers/APs support it. If you receive an error that the domain doesn’t exist, restart the Active Directory Domain Services server and try again.

Once you’ve added the desired group(s), click Next to continue.

On the Configure a VLAN window (see Figure 7), if your network (switches and controllers/APs) support VLANs and you have them configured, click the Configure…to setup the VLAN functionality.

Figure 7: Click the Configure button to define the VLAN settings

Now you’re done configuring the VLANs, click Next.

Review the settings and click Finish.

Configure the wireless controllers and/or APs

Now it’s time to configure the wireless controllers or access points (APs). Bring up the web-based GUI for the by entering their IP address into a browser. Then navigate to the wireless settings.

Choose WPA-Enterprise or WPA2-Enteprise. For the encryption type, select TKIP if using WPAorAES if using WPA2. Then enter the IP address of the RADIUS server, which is the Windows Sever machine you just setup. Next, enter the shared secret you created earlier for the particular controller/AP. Then save the settings.

Install the CA Certificate on Client Computers

In Part 1, you created your own Certificate Authority (CA) and server certificate. Thus you must install the CA onto your client computers. This way the clients can validate the server before performing the authentication.

If you’re running a domain network with Active Directory, you may want to deploy this certificate with Group Policy. However, you can also manually install it, like we’ll discuss.

To view and manage the certificates in Windows Server 2008, bring up the Certificate Manager. If you saved that MMC to your desktop in Part 1, open it. Otherwise, follow these steps again:

1. Click Start, type MMC, and hit Enter.
2. On the MMC window, click File>Add/Remove Snap-in.
3. Select Certificates, and click Add.
4. Select Computer account, and click Next.
5. Select Local computer, click Finish, and then OK.

Tip:
Again, you might want to save this MMC to your desktop for easier access later: click File>Save.

Now expand Certificates (Local Computer Account), expand Personal, and click Certificates.

As Figure 8 shows, right-click the certificate with the Issued To value ending in CA, hover over All Tasks, and choose Export…. Then follow the wizard to export. When prompted, don’t export the private key, but use the DER format. You probably want to export to a flash drive so you can take it around to the client computers.

Figure 8: Exporting the CA certificate to install onto the clients

Now on the client computers, double-click the certificate and click the Install Certificate button (see Figure 9). Use the wizard to import it into the Trusted Root Certificate Authorities store.

Figure 9: Installing the CA certificate onto a client.

Configure the Network Settings on Client Computers

Now you can configure the network settings. Like with the certificate installation, you can push the network settings to clients using Group Policy if you’re running a domain network with Active Directory. However, you can also manually configure the clients, like we’ll discuss for Windows XP, Vista, and 7.

First, manually create a network profile or preferred network entry. For the Security Type choose WPA-Enterprise or WPA2-Enteprise. For the Encryption Type, select TKIP if using WPA or AES if using WPA2.

Open the network profile and select the Security tab (in Vista & 7) or Authentication tab (in XP). In XP, check the Enable IEEE 802.1x authentication for this network option.

For the Network Authentication method (in Vista & 7, as Figure 10 shows) or EAP Type (in XP), choose Protected EAP (PEAP). In XP, also deselect both check boxes on the bottom of the window.

Figure 10: Choose PEAP for the authentication method

In Windows 7 only, click the Advanced Settings button on the Security tab. Then on the Advanced Settings window, check the Specify authentication mode option, choose User Authentication, and click OK to return to the Security tab.

Click the Settings (in Vista & 7) or Properties (in XP) button.

Then on the Protected EAP Properties dialog, follow these steps (Figure 11 shows an example):

• Check the first box, Validate server certificate.
• Check the second box, Connect to these servers, and enter your server’s full computer name. If needed, double-check it on Windows Server by clicking Start > Server Manager.
• In the Trusted Root Certification Authorities list box, select CA certificate you just imported.
• Select Secured password (EAP-MSCHAP v2) for the Authentication Method.

Figure 11: Configure the PEAP properties

• Click the Configure button. If you’re running a domain network with Active Directory, you probably want to keep this option checked. Otherwise, uncheck it so the user can enter their username and password when connecting to the network.

Finally, click OK on the dialog windows to save the settings.

Finally, Connect and Logon!

Now that you have the server, APs, and clients configured, you can try to connect.

On a client computer, choose the network from the list of available wireless networks. Unless you enabled the client to automatically use its Windows logon, you’ll be prompted to enter the login credentials, as Figure 12 shows. Use an account on the Windows Server belonging to the group(s) you configured earlier in the Network Policy and Access Services portion of the setup. If you chose the Domain Users group, the Administrator account should be allowed by default.

Figure 12: The login window.

Summary

Now you should have an 802.1X-authenticating and Enterprise-encrypted network, with thanks to Windows Server 2008 for providing the RADIUS functionality. We’ve setup the server, wireless APs, and clients for the PEAP authentication. End-users should be able login with their accounts.

To manage the RADIUS server settings, such as adding or removing APs, use the Network Policy Server utility: click Start>All Programs> Administrative Tools>Network Policy Server.

If you would like to read the next part of this article series please go to Setting up Wi-Fi Authentication in Windows Server 2008 (Part 1).