Tutorial: 802.1X Authentication via WiFi – Active
Directory + Network Policy Server + Cisco WLAN +
Group Policy
45 Replies
Here is how to implement 802.1X authentication in a Windows Server 2008 R2 domain environment using
Protected-EAP authentication. I have designed the tutorial to be worked on in the specific order to prevent
downtime if deployed during the day. By creating the Network Policy server first, once we switch the
authentication type from whatever to 802.1X via RADIUS, our Network Policy Server will immediately start
processing requests and allowing machines on the domain. By configuring the Cisco Wireless LAN Controller
or Group Policy first, clients will try connecting to a RADIUS server that doesn’t exist or present invalid
credentials. If you have any suggestions on how to better the implementation I demonstrate here, please drop a
comment below to improve security/stability of these types of deployments.
Active Directory
First, we need to create a security group in Active Directory to allow a list of specific users and computers to
login to the domain. In this example, we will allow any authenticated user or machine on the domain to
authenticate successfully to the RADIUS sever. In the screenshot below, we can see I have added both Domain
Users and Domain Computers to a security group called WirelessAccess. Here is a screenshot with the above
settings.
Network Policy Server
1.
2.
3.
4.
5.
6.
1.
2.
1.
2.
3.
3.
4.
5.
6.
7.
Create a new Windows Server 2008 R2 or Windows Server 2012 machine
Add the machine to the domain
Give the machine a static IP: (I’ll use 10.10.10.15 throughout this document as a reference to this server)
Open up Server Manager, click Add Roles, click Next on the Before You Begin screen, check Network
Policy and Access Services and click Next, click Next on the Introduction screen, check Network Policy
Server (leave the rest unchecked) and click Next, click Install.
Once Network Policy Server is installed, launch the Network Policy Server snap-in (via MMC or
Administrative Tools)
Inside of Network Policy Server, on NPC (Local), select RADIUS server for 802.1X Wireless or Wired
Connections from the dropdown and click Configure 802.1X
On the Select 802.1X Connections Type page, select Secure Wireless Connections, and enter My Company’s
Wireless. Click Next.
Click on the Add… button. Enter the following settings:
Friendly name: Cisco WLAN Controller
Address: 10.10.10.10 (Enter your WLAN Controller’s IP address)
Select Generate, click the Genereate button, and then copy down the Shared Secret the wizard generated (we
will use this later to get the WLAN Controller to talk to the RADIUS server). Click OK.
Click Next.
On the Configure an Authentication Method, select Microsoft: Protected EAP (PEAP). Click Next.
Click Next on the Specify User Groups (we will come back to this).
Click Next on the Configure Traffic Controls page.
Click Finish
7. Click on NPS (Local) -> Policies -> Network Policies. Right click Secure Wireless Connections and click
Properties.
8. Click on the Conditions tab, select NAS Port Type, and click Remove.
9. Still on the Conditions tab, click Add…, select Windows Groups and click Add…, click Add Groups…,
search for WirelessAccess and click OK. Click OK on the Windows Groups dialog box, click Apply on the
Secure Wireless Connections Properties box. You should now have something like the image below:
10. Click on the Constraints tab.
1. Uncheck all options under Less secure authentication methods like the image below:
2. Click Apply
Cisco WLAN
1.
2.
1.
2.
3.
1.
2.
3.
4.
5.
6.
7.
8.
Login to your Cisco Wireless Lan Controller
Add a RADIUS server to your controller
Click on the Security tab
Select AAA -> Radius -> Authentication on the left side
Click the New… button in the top right
Server IP Address: 10.10.10.15 (The IP address of your NPS server we setup earlier)
Shared Secret Format: ASCII
Shared Secret: The long generated password you wrote down when setting up the Network Policy Server
Confirm Shared Secret: Same password in previous step
Key Wrap: unchecked
Port Number: 1812
Server Status: Enabled
Support for RFC 3576: Enabled
9. Server Timeout: 2
10. Network User: Checked
11. Management: Checked
12. IP Sec: Unchecked
13. Here is a screenshot with the above settings
3.
1.
2.
3.
1.
1.
1.
2.
3.
1.
2.
3.
4.
Create or modify a wireless network to use 802.1X
Click on the WLANs tab
Create a new wireless network or select an existing WLAN ID to edit
On the “WLANs > Add/Edit ‘My SSID’” page, use the following settings
Security Tab
Layer 2 Tab
Layer 2 Security: WPA+WPA2
MAC Filtering: Unchecked
WPA+WPA2 Parameters
WPA Policy: Unchecked
WPA2 Policy: Checked
WPA2 Encryption: AES checked, TKIP unchecked
Auth Key Mgmt: 802.1X
4. Here is a screenshot of the above settings
2.
1.
2.
3.
1.
2.
3.
4.
Layer 3 Tab
Layer 3 Security: none
Web Policy: unchecked
AAA Servers Tab
Authentication Servers: checked Enabled
Server 1: Select your RADIUS server from the dropdown
Local EAP Authentication: Unchecked
Authentication priority order for web-auth user: Move RADIUS over to the right
5. Here is a screenshot of the above settings
4. Click Apply
Group Policy
1. Go to your domain controller and open up the Group Policy Management console.
2. Right click the Organizational Unit you want to apply to policy to and select Create a GPO in this domain,
and Link it here…
1. Note, the policy must be linked to the OU containing a group of machines you want to have WiFi access to or a
parent of the OU.
3. Enter in 802.1X WiFi Policy for the Name and click OK
4. Right click your new GPO and click Edit
5. Navigate to Computer Configuration->Policies->Windows Settings->Security Settings->Wireless Network
(IEEE 802.11) Policies
6. Right click and select Create A New Wireless Network Policy for Windows Vista and Later Releases
7. Ensure the following settings are set for your Windows Vista and Later Releases policy
1. General Tab
1. Policy Name: My Wireless Policy for Vista and Later Clients
2. Description: Vista and later wireless network for my company.
3. Check Use Windows WLAN AutoConfig service for clients
4.
5.
1.
1.
2.
3.
Here is a screenshot with the above settings
Click the Add… button and select Infrastructure
Connection Tab
Profile Name: My Network
Enter in your SSID (Wireless network name that gets broadcasted) and click the Add… button
Check Connect Automatically when this network is in range
4.
2.
1.
2.
3.
4.
5.
6.
Here is a screenshot of the above settings
Security Tab
Authentication: WPA2-Enterprise
Encryption: AES
Select a network authentication method: Microsoft Protected EAP (PEAP)
Authentication Mode: User or Computer authentication
Max Authentication Failures: 1
Check Cache user information for subsequent connections to this network
7. Here is a screenshot of the above settings with the Advanced tab open as well
3. Click OK
2. Network Permissions Tab
1. Enter your network into Define permissions for viewing and connection to wireless networks if it hasn’t been
added already.
2. Uncheck Prevent connections to ad-hoc networks
3. Uncheck Prevent connections to infrastructure networks
4. Check Allow user to view denied networks
5. Check Allow everyone to create all user profiles
6. Uncheck Only use Group Policy profiles for allowed networks
7. Leave all Windows 7 policy settings unchecked
8. Here is a screenshot with the above settings (note, you may change the settings above to be in accordance to
your policy. Just ensure you don’t check Prevent connections to infrastructure networks).
9.
8.
9.
1.
1.
2.
3.
4.
5.
Click OK
Right click and select Create A New Windows XP Policy
Ensure the following settings are set for your Windows XP Policy
General Tab
XP Policy Name: My Wireless Policy for XP Machines
Description: My wireless policy for XP machines.
Networks to access: Any available network (access point preferred)
Check Use Windows WLAN AutoConfig service for clients
Uncheck Automatically connect to non-preferred networks
6. Here is a screenshot of the above settings.
2.
1.
1.
1.
2.
3.
4.
5.
6.
7.
Preferred Networks Tab
Click the Add… button and select Infrastructure
Network Properties Tab
Network name (SSID): My SSID
Description: My wireless network
Uncheck Connect even if network is not broadcasting
Authentication: WPA2
Encryption: AES
Check Enable Pairwise Master Key (PMK) Caching
Uncheck This network uses pre-authentication
8. Here is a picture of the above settings
2.
1.
2.
3.
4.
5.
IEEE 802.1X Tab
EAP Type: Microsoft: Protected EAP (PEAP)
Eapol-Start Message: Transmit
Authentication Mode: User or Computer Authentication
Check Authenticate as computer when computer information is available
Uncheck Authente as guest when user or computer information is unavailable
6. Screenshot of above settings
3. Click OK
3. Click OK