Upload
sandip-pudasaini
View
226
Download
0
Embed Size (px)
Citation preview
7/29/2019 NPS Using Microsoft Windows 2008 Server
1/36
UsingWindows2008WithArubaControllersVersion1.0
TobiasRiceThiswillbeabasicsetupusingWindows2008Servertoallowdot1xauthwithan
Arubacontroller.Stepstohaveabasicinstallationinclude:
1. Renametheserver2. SettingserverasDomainController3. InstallingCertificateServices4. RequestCertificates(optional)5. InstallingNetworkPolicyServices(previouslyIAS)6. CreatingGroupPolicies
RenameTheServer
SomethingdifferentaboutWindows2008Serveristhattheservernameisauto
generatedandyouarenotgivenachanceduringtheinstalltonametheserverso
youmustdobeforeinstallingActiveDirectoryorCertificateServices.
IntheInitialConfigurationTaskswindow,clicktheProvidecomputernameand
domainlink.
7/29/2019 NPS Using Microsoft Windows 2008 Server
2/36
EnteraComputerdescriptionandclicktheChangebuttontochangethe
computername.IllbeusingWLANDCasmynameanddescription.
7/29/2019 NPS Using Microsoft Windows 2008 Server
3/36
EntertheComputernameandclickOKandrebootwhenprompted.
SettingServerasaDomainController
Forthisexamplewesetupanewforestforthewlan.netdomain.Server2008
abstractsmostserverfunctionintoRolessowellbeaddingtheActiveDirectory
DomainServicesRolewiththeServerManagerbyclickingRolesandclickingAdd
Roles.
7/29/2019 NPS Using Microsoft Windows 2008 Server
4/36
SelecttheActiveDirectoryDomainServicesRole.
7/29/2019 NPS Using Microsoft Windows 2008 Server
5/36
ClickthroughtheconfirmationscreensandclickInstall.Youshouldgetseean
installationprogressscreenandfinallyaninstallationsuccessmessagethatasks
youtorunthecommanddcpromo.exewhichwillconfigureyourdomain.Soclick
thelinktorundcpromoorclicktheStartbutton,selectRunandenter
dcpromo.exe.YoushouldnowseetheActiveDirectoryDomainServiceinstall
wizard.ClickNexttocontinue.
7/29/2019 NPS Using Microsoft Windows 2008 Server
6/36
ChooseCreateanewdomaininanewforestandclickNext.
7/29/2019 NPS Using Microsoft Windows 2008 Server
7/36
Forourexampledomainwellusewlan.net.ClickNextanditwillchecktoseeif
thenameisalreadyusedonthenetwork.
7/29/2019 NPS Using Microsoft Windows 2008 Server
8/36
WhenaskedtosetwhichForestFunctionalLevelIusedthe2008level.
7/29/2019 NPS Using Microsoft Windows 2008 Server
9/36
ThenextscreenyoullseeisawarningthattheDNSserviceisntinstallandwill
offertoinstallitforyou.JustclickNexttoacceptandinstall.
7/29/2019 NPS Using Microsoft Windows 2008 Server
10/36
Itwilldisplaythefollowingwarning,justclickYestocontinue.
7/29/2019 NPS Using Microsoft Windows 2008 Server
11/36
JustacceptthedefaultsandclickNext.
NowyoullbepromptedtoenteraDirectoryServicesRestoreModeAdministrator
7/29/2019 NPS Using Microsoft Windows 2008 Server
12/36
Password.EnterapasswordandclickNext.
7/29/2019 NPS Using Microsoft Windows 2008 Server
13/36
ClickNextattheSummaryscreen.
YoullnowseetheInstallationWizardinstallDNSandActiveDirectory.Checkthe
Rebootoncompletionboxandoncethewizardfinishesitllrebootandbeready
7/29/2019 NPS Using Microsoft Windows 2008 Server
14/36
forthenextstep.
InstallingCertificateServices
ToenablePEAPorEAPTLSwellneedtoinstallCertificateServicestoenablea
CertificateAuthority(CA)togenerateandsigncertificatesforourdomain.Again,
addaRoleviatheServerManagerandselectActiveDirectoryCertificateServices
7/29/2019 NPS Using Microsoft Windows 2008 Server
15/36
andclickNext.
ClickthroughtheconformationscreenandselectCertificationAuthorityand
CertificateAuthorityWebEnrollmentwhichwilltellyouthatyoullneedIIStobe
installedtousetheCertificateAuthorityWebEnrollment.ClickAddRequired
7/29/2019 NPS Using Microsoft Windows 2008 Server
16/36
RoleServicesandclickNexttocontinue.
7/29/2019 NPS Using Microsoft Windows 2008 Server
17/36
WhenpromptedforwhichtypeofCertificateAuthoritytoinstall,choose
Enterprise.
7/29/2019 NPS Using Microsoft Windows 2008 Server
18/36
WhenpromptedforCAType,selectRootCAandclickNext.
7/29/2019 NPS Using Microsoft Windows 2008 Server
19/36
WhenpromptedtoSetUpPrivateKeyselectCreateanewprivatekeyandclick
Next.
7/29/2019 NPS Using Microsoft Windows 2008 Server
20/36
WhenpromptedtoConfigureCryptographyforCA,acceptthedefaultsandclick
Nextfortherestoftheconformationscreens.
RequestCertificates(optional)
NowthatwehaveourCertificateAuthority(CA)upandrunningwemaywantto
requestacertificateforourAuthenticationServer.
WellcreateaMicrosoftManagementConsole(MMC)thatwillallowustorequest
andinstallthecertificateforourserver.PresstheStartbuttonandenterMMCin
thecommandfieldtoopentheMMC.NextwelladdtheCertificate(ForLocal
Computer)snapinbyclickingFileandchoosingAdd/RemoveSnapin.Select
7/29/2019 NPS Using Microsoft Windows 2008 Server
21/36
CertificatesandclickAdd.
7/29/2019 NPS Using Microsoft Windows 2008 Server
22/36
NowbesuretoselectComputerAccountandclickNext.
7/29/2019 NPS Using Microsoft Windows 2008 Server
23/36
ChooseLocalComputer,clickFinishandOK.
TIP:WhileyourehereyoumightaswelladdtheCertificateAuthoritysnapinand
savethisMMCtoyourdesktopbecauseyoullneeditagaininthefuture.
Torequestacertificateforyourserver(ifyoudontwanttousethedefaultcertificate)expandCertificates(LocalComputerAccount),Personal,andright
clickCertificatesandselectAllTasks,RequestNewCertificate
7/29/2019 NPS Using Microsoft Windows 2008 Server
24/36
ClickthroughtheEnrollmentscreenschoosingthesettingsyoudesireforyour
certificate.
7/29/2019 NPS Using Microsoft Windows 2008 Server
25/36
InstallingNetworkPolicyandAccessServices
InWindows2008ServeryoucannolongerjustinstalltheInternetAuthenticationService(IAS)andhaveRADIUSfunctionality.YoumustnowinstallNetworkPolicy
andAccessServices,whichnowincludeeverythingfromearlierversionsof
WindowsserversuchasRRAS/IAS/etc,butnowincludesNAP(thinkNACfor
Windows).WewillbeinstallingandconfiguringjustenoughtoenablePEAPand
RADIUSfunctionalitywithourArubacontroller.SoonceagainheadtotheServer
ManagerandAddaRoleselectingNetworkPolicyandAccessServicesandclick
throughtheconfirmationscreen.
7/29/2019 NPS Using Microsoft Windows 2008 Server
26/36
SelectNetworkPolicyServer,RoutingandRemoteAccessServices,Remote
AccessServiceandRouting.ClickNext,clickthroughtheconfirmationscreen
7/29/2019 NPS Using Microsoft Windows 2008 Server
27/36
andclickInstall.
Installationwilltakeacoupleofminutesandpresentyouwithaninstallsummery.
JustclickClose.
NowthatNPSisinstalled,presstheStartbuttonandenternps.mscinthe
commandfield.TheNPSMMCshouldopenupallowingyoutoselecttheRADIUS
serverfor802.1XWirelessorWiredConnectionsInstallationWizardfromthe
7/29/2019 NPS Using Microsoft Windows 2008 Server
28/36
StandardConfigurationpulldownmenuandclickConfigure802.1X.
7/29/2019 NPS Using Microsoft Windows 2008 Server
29/36
FromtheSelect802.1XConnectionsTypepage,selectSecureWireless
ConnectionsandclickNext.
7/29/2019 NPS Using Microsoft Windows 2008 Server
30/36
FromtheSpecify802.1XSwitchesscreenclickAddandenterthesettingsfor
yourArubacontrollerandpressOK.
FortheConfigureanAuthenticationMethodscreenselectMicrosoftSmartCard
orothercertificateforEAPTLSorMicrosoftProtectedEAP(PEAP)forPEAP.I
7/29/2019 NPS Using Microsoft Windows 2008 Server
31/36
willbeselectingPEAPforthisexampleandclickConfigure
7/29/2019 NPS Using Microsoft Windows 2008 Server
32/36
Selecttheappropriatecertificatetouseforthisserver.Inthiscasewellusethe
WLANDC.wlan.netcertificateandclickOK.
FortheSpecifyUserGroupsscreenselecttheusersand/orgroupsyouwouldlike
toallowwirelessaccess.ForthisexampleIamallowingallofmydomainusersby
selectingtheDomainUsersgroup.IfIwanttoenforceMachineAuthenticationI
needtoaddtheDomainComputersgroupaswellascheckingtheEnforce
MachineAuthoptioninthedot1xpolicyonmyArubacontroller.ClickNextto
continue.
Note:GroupslistedhereareconsideredasanORstatement.
7/29/2019 NPS Using Microsoft Windows 2008 Server
33/36
7/29/2019 NPS Using Microsoft Windows 2008 Server
34/36
ForthenextscreenyoucanclickNextandFinishorclickConfiguretoadd
RADIUSattributesforServerDerivationrules.
Forexample,youmaywanttomaptheDomainUserstotheemployee_roleon
yourArubacontroller.YoucoulddothatherewiththeFilterIdattribute.
7/29/2019 NPS Using Microsoft Windows 2008 Server
35/36
Note:ThereseemstobeabuginWindowsifyoumesswiththeseattributestoo
muchtheFilterIdattributevanishes.Ifthishappenscanceloutofthewizardand
startover.
PressNextandFinishtocompletethewizard.Thisshouldnowallowyouto
authenticateusersagainstyourWindows2008Server.Totestyourconfiguration,
sshtoyourArubacontrollerandconfigureittousethenewRADIUSserver.
(MC800)>en
Password:******
(MC800)#configureterminal
EnterConfigurationcommands,oneperline.EndwithCNTL/Z
7/29/2019 NPS Using Microsoft Windows 2008 Server
36/36
(MC800)(config)#aaaauthenticationserverradiusnps
(MC800)(RADIUSServer"nps")#host10.1.0.236
(MC800)(RADIUSServer"nps")#enable
(MC800)(RADIUSServer"nps")#keyp@ssw0rd
(MC800)(RADIUSServer"nps")#nasidentifierArubaMaster
(MC800)(RADIUSServer"nps")#nasip10.1.0.250
Nowtesttoseeifeverythingisworkingproperly.
(MC800)#aaatestservermschapv2npstobiasqwerty12!@
Authenticationsuccessful