In a corporate environment shared key encryption is rarely used due to the problems associated with distributing the appropriate keys. In the corporate wireless world many organisations prefer to use 802.1x or Radius authentication so that their users can log on to the wireless networks with their domain credentials. I was recently asked to set up just s system with Unifi access points and controllers on Windows Server 2012 with Microsofts own Radius solution NPS (or Network Policy Server) and 802.1x. There is plenty of information out there but I found that some of it was out of date and others were missing some fairly key components. So I present this tutorial to hopefully helps others get this up and running as quickly as possible. The Unifi system was running 4.8.18, and obviously may change a little as things progress.
The network I was working on looking like the following:. Windows Server 2012 Active Directory – 192.168.1.50. Ubuntu Server 14.04LTS Unifi Controller – 192.168.1.60. Floor 1 Unifi AP – 192.168.1.250. Floor 2 Unifi AP – 192.168.1.251. Floor 3 Unifi AP – 192.168.1.252 As part of this project we wanted to turn on the following:. Windows Server 2012 Network Policy Server – 192.168.1.55 The client also provided the server it’s own server certificate to allow clients to authenticate, and we installed that too.
I will assume you already have Active Directory installed, and you have a server ready to install Network Policy Server which is joined to the appropriate domains. Oh and feel free to click on any of the screenshots for a bigger picture! Step 1 – OPTIONAL – Install a Trusted Certificate for Authentication Update 16 July 2016: An emailer has suggested that if you’ve got an enterprise Windows Certificate Services server setup you shouldn’t need to manually import a certificate, you should be able to do it quite happily via the usual certificate request process.
Thanks Anon for the clarification suggestion 🙂 In this particular example the customer had a full and proper PKI infrastructure so they wanted to provide a certificate on the Radius/NPS server which clients could authenticate with. You don’t need to do this step, but if not you’ll have to get users to accept the certificate when they connect or otherwise distribute the certificate. Florian August 1, 2016 at 12:27 pm Hello, Great article!
To connect to the WIFI, I added a few conditions to the network policy. Next, I need to register the MAC addresses to the individual user. “Control access through NPS Network Policy” > check the “Verify Caller-ID:” option.
Thank you very much! I am trying to follow it with a Ubiquiti but I also have a small question WIFI company I would like to make (business), I would like that the SSID is hidden. By cons I have the following questions: – Should users use their Windows authentication to connect? – Or should they know the shared key?
I love that the Wifi is automatically configured on users’ PCs (as it should be hidden), they do not know the password for the wifi, etc etc How can I do? Thank you in advance! Gyp August 17, 2016 at 7:44 pm Hi Florian, Glad it came in useful for you! A couple of points: – Hiding the SSID really isn’t a good idea from a security perspective.
It’s not overly difficult to view hidden SSIDs with the right knowledge. – Many businesses like Windows Authentication for all the benefits it gives with regards to account termination, passport policies, etc. The exchange is encrypted hence why in the example above you see a certificate request. – Shared key authentication is good for some purposes, it’s quick and easy to communicate. However many of my customers who use this method then require their users to connect up a VPN to the corporate environment.
– I believe you can push out wireless networks via a GPO and AD Best of luck! Enkhtur October 26, 2016 at 4:53 am Hi there, works great! Thanks a lot. I`ve some questions. – i want certificate must be installed on client device when they are try to join the wireless network even they have an username/password. In this configuration, anyone who has a domain username/password they`re successfully joining. It`s increasing risk of network security, if someone who don`t belong my company got one of doamin username/password, he/she will connect to my wireless network without any problem.
Gyp October 26, 2016 at 9:16 pm Hi Enkhtur, Thanks for dropping! Glad it’s working for you. What you are referring to is Certificate Based authentication, and you probably will want to enable EAP-TLS or PEAP-TLS for this to work and absolutely can be done with Unifi based on this post.
Have a look at Microsofts’ own Technet guide.aspx. You’ll also probably want to make sure that whichever certificate you use on the NPS server is also trusted by your client machines.
As to the security aspect I agree totally, you’re most certainly adding a second factor in the authentication process! Also if you couple your certificatation service with a way of revoking certificates you can also cut off access pretty quickly and easily. Gyp January 19, 2017 at 9:33 am Hi Randy, That sounds like a slightly painful environment 🙂 Will these legacy devices not let you connect at all with an “untrusted” certificate? Only other option I can think of is to create a WPA2 network without NPS just for these devices with a very long key and potentially MAC Address filtering too.
Dependant on how paranoid I was feeling I may also connect them to a firewall so they can only access what they need to on a network level. Granted its not a perfect setup by any means. Thanks for dropping by and thanks for the comment 🙂 Gyp. Jaco Smit January 19, 2017 at 7:47 am Thank you for the tutorial. Although I tried and tried I cannot get this to work. One major deviation is that I do not wish to use a certificate but CHAP methods to authenticate the various mobile devices and roaming laptops on the network.
Some notes:. All servers concerned are Server 2012 R2. I setup the NPS on the same box running the Unifi Controller software. Ran through the wizard like above but deviated as described by me above. When testing with NTRadPing utility, I keep getting “could not receive a response from the server”, I have tried 127.0.0.1, localhost and the LAN IP address of the controller server.
When using WPA2-Enterprise with 802.1x authentication EAP-TLS can be specified as an authentication method. When EAP-TLS is the chosen authentication method both the wireless client and the RADIUS server use certificates to verify their identities to each other and perform mutual authentication. Below are the steps for configuring policy in Windows Network Policy Server to support EAP-TLS. Creating a Connection Request Policy to support IEEE 802.11 wireless connections. Open the Network Policy Server console. Navigate to NPS(Local)PoliciesConnection Request Policies.
Right click Connection Request Policies and select New. On Specify Connection Policy Name and Connection Type enter a Policy name: and click Next. On Specify Conditions click Add.
Select NAS Port Type as a condition. For NAS Port Type check Wireless - IEEE 802.11 and Wireless - Other click OK. Click Next. On Specify Connection Request Forwarding leave the defaults and click Next. On Specify Authentication Methods leave the defaults and click Next. On Configure Settings click Next. Review the settings On Completing Connection Request Policy Wizard and click Finish.
Right click the Connection Policy created and select Move up so its processing order is before any other policies. Creating a Network Policy to support EAP-TLS as the authentication method for IEEE 802.11 wireless connections. Right click Network Policies and select New. On Specify Network Policy Name and Connection Type enter a Policy name: and click Next. On Specify Conditions click Add.
Select NAS Port Type as a condition. For NAS Port Type check Wireless - IEEE 802.11 and Wireless - Other click OK.
Click Next. On Specify Access Permissions make sure Access granted is selected and click Next.
On Configure Authentication Methods click Add and choose Microsoft: Smart Card or other certificate for Add EAP and click OK. Uncheck any boxes under Less secure authentication methods.
Select Microsoft: Smart Card or other certificate for EAP types and click Edit. Verify the Certificate issued to: drop down shows the correct certificate and issuer which is the Active Directory CA server. Then click OK. Click Next. On Configure Constraints click Next. On Configure Settings choose NAP Enforcement. Under Auto-Remediation, uncheck the box Auto-remediation of client computers and click Next.
Review the settings on Completing New Network Policy and Click Finish. Right click the Network Policy created and select Move up so its processing order is before any other policies.