Securing Wireless Networks with Windows Server 2008 and NPS

In this post I’m going to go through the process of securing your wireless network using Windows Server 2008 and the NPS (Network Policy Services) role from start to finish.

Previously, I was using Windows Server 2003 with IAS (Internet Authentication Services) to secure my wireless network, until I recently upgraded all of my servers to Windows Server 2008 – By the way, NPS is the new version and name for IAS.

Here is the TechNet guide which I followed – http://technet.microsoft.com/en-us/library/cc771455.aspx – I will be applying these guidelines to the following environment…

  • A Windows Server 2008 machine running AD DS (Active Directory Domain Services)
  • A Windows Server 2008 machine running NPS (Network Protection Services) and AD CS (Active Directory Certificate Services)
  • A Linksys WAP54G (an entry level wireless access point – you can use any wireless access point that supports RADIUS)

You can run NPS, AD DS and AD CS on the same machine if you want to, but I wouldn’t recommend it (personally, I prefer to keep my domain controllers running only AD DS).

I’m not going to go through the process of installing AD DS as it’s a little out of scope for this post, so we’ll start from having an established domain, and a clean install of Windows Server 2008 on which we will install AD CS and NPS.

The first step is installing AD CS and NPS on your clean Windows Server 2008 install…

  1. First, you’ll need to join the server to your existing domain and then restart;
  2. After the server restarts, open Server Manager;
  3. Click on the Roles node;
  4. Click on the Add Roles;
  5. On the Server Roles screen, select Active Directory Certificate Services and Network Policy and Access Services;
  6. Follow the wizard, selecting Network Policy Server when configuring the Network Policy and Access Services role and leaving the default Certification Authority role service selected for AD CS;
  7. Select Enterprise for the setup type for AD CS;
  8. Choose Root CA for the CA Type (remember we’re assuming that this is the first Certification Authority in your environment, so if it’s not you either don’t need to install this role, or if you choose you can configure this server as a Subordinate CA instead);
  9. Run through the rest of the wizard, making any changes you may wish to, otherwise just leave the defaults as they are appropriate (I changed the CA Common Name to the name of the server, as I think it’s cleaner) – Note that there is a warning at the end of the wizard, stating that the name of this server cannot be changed after installing the AD CS role.

Now that you have a Root CA and an NPS server on your domain, we can start configuring it…

  1. Open an MMC console, and go to File -> Add/Remove Snap-in…
  2. Add the Certificates snap-in, selecting Computer account for the local computer;
  3. Expand Certificates (Local Computers) -> Personal, right click on Certificates and choose Request new certificate;
  4. Follow the wizard, choosing Computer for the certificate type and then click the Enroll button, then close MMC;
  5. Open the Network Policy Server administrative console from Administrative Tools;
  6. Right click on the parent node, NPS (Local) and click Register server in Active Directory – Click OK on the two informational popups;
  7. With the NPS (Local) node still selected, choose RADIUS server for 802.1X Wireless or Wired Connections and then click on the Configure 802.1X button;
  8. Under Type of 802.1X connections, select Secure Wireless Connections and provide an appropriate name for the policies which will be created as part of this wizard;
  9. In the next step, you’ll need to configure a RADIUS client (by the way, RADIUS stands for Remote Authentication Dial In User Service), so click on the Add button;
  10. The RADIUS client will be your wireless access point, so for the friendly name type in something to identify the access point (for example, AP01), then provide the IP address or DNS entry for the access point;
  11. Click on the Generate radio button, and then click on the Generate button to generate a shared secret – Copy the shared secret to a notepad document, and click OK – Note that on my particular access point, a character limit of 22 characters exists for shared secrets so I had to cut the string down to the acceptable limit, so I would suggest checking for this limitation on your own hardware;
  12. Click Next, and then choose Microsoft: Protected EAP (PEAP) and then click on the Configure button (if you get an error message, you probably didn’t follow steps 1 -> 4 correctly);
  13. Ensure that the Certificate issued drop down box has the certificate you enrolled in step 4;
  14. Click Next, and then click on the Add button to use an Active Directory group to secure your wireless (you should add both the machine accounts and user accounts to this group to allow the machine to authenticate on the wireless before the user logs in);
  15. On the next step of the wizard, you can configure VLAN information, otherwise just accept defaults to complete;
  16. Restart the Network Policy Server service.

If you expand the Policies node now, you’ll see that the wizard has created a Connection Request Policy and a Network Policy containing the appropriate settings to authenticate your wireless connection – These individual policies can obviously be created manually, but the wizard is an easier method.

You can also remove the less secure authentication method options, and increase the encryption methods in the network policy if you wish (I have configured mine this way)…

  1. Under the Network Policies node, bring up the properties of the newly created policy;
  2. On the Constraints tab, uncheck all of the checkboxes under Less secure authentication methods;
  3. On the Settings tab, click on Encryption and uncheck all boxes except Strongest encryption (MPPE 128-bit);
  4. Save the policy and then restart the Network Policy Server service.

With the NPS server configured to accept requests from your wireless access point, you’ll now need to configure the access point to communicate with the NPS servers – These instructions are for my Linksys WAP54G, but will be similar to most access points which support RADIUS…

  1. In the web interface for the access point, click on the Wireless tab and assign an appropriate SSID;
  2. Click on the Security sub-tab, and set the Security Mode to WPA-Enterprise (if your access point supports WPA2-Enterprise, use this instead);
  3. Set the Encryption to AES, and then provide the NPS server IP as the RADIUS Server and the Shared Secret that you saved in step 11 above;
  4. Save your settings and restart the access point.

Now your access point should be configured to talk to your NPS server, so all that is left is to configure your clients to connect – The recommended way of doing this, would be to use Group Policy, but the instructions below are for configuring a Windows Vista client – You can easily replicate these actions in a Group Policy under the Security node.

To configure a Windows Vista client which is joined to the domain…

  1. Open up the Network and Sharing Center;
  2. Click on Connect to a network;
  3. Locate the network you have just secured (it should say Security-enabled network next to it) and click the Connect button;
  4. It will take a short while to set up the profile and then connect successfully.

You can also configure a few extra settings to speed up the time it takes to connect (it won’t improve the overall speed, only the time it takes to initially connect to the wireless network)…

  1. In the Network and Sharing Center, click on Manage wireless networks and then double click the network you set up above;
  2. Click the Security tab, and then the Settings button below;
  3. The Validate server certificate checkbox should already be selected by default, but you should also select the CA that you set up earlier under the Trusted Root Certification Authorities to speed up the certificate verification process;
  4. You can also check the box Do not prompt user to authorize new servers or trusted certification authorities in order to improve the user’s experience.

Some suggestions recommendations…

  • Use a security group with the appropriate machine and user accounts as members to secure your network;
  • Group Policy is by far the best way to deploy the client side settings, but will obviously require an established domain connection in order to push these settings down to the clients;
  • While disabling the SSID of your access point sounds like an increased security measure, it can be a security risk if you are configuring your workstations to actively look for the SSID name – Potential session hijackers could intercept this traffic and set up an SSID for the requested name, unknowingly to the user which would then connect to a potentially malicious network;
  • You can vary the encryption type from AES to TKIP if your devices don’t all support AES, although AES is the preferred encryption algorithm;
  • If you’re having trouble with your connection, there are a few places you can look to troubleshoot, namely – Local client event logs, the NPS log file which lives in C:WindowsSystem32logfiles and most importantly the Security event logs of the NPS server which contains detailed information about access successes and failures.

51 thoughts on “Securing Wireless Networks with Windows Server 2008 and NPS”

  1. Nice guide! I had a new 2k8 server running AD that I applied your guide too. I listed the few things I had to do below before it would work. I wanted to help anyone else who might run into the same thing.

    I used the link below and had to modify the things in red to be able to generate a computer certificate. Before it said I did not have the authority to create a computer certificate.

    http://technet.microsoft.com/en-us/library/cc774602.aspx

    1. Click Start, point to Administrative Tools, and click Active Directory Sites and Services.
    2. On the View menu, click Show Services Node.
    3. Double-click Services, double-click Public Key Services, click Certificate Service, and double-click Machine Properties.
    4. On the Security tab, confirm that the Cert Publishers group has Read and Write permissions.
    5. Right-click Domain Users, and click Properties.
    6. On the Security tab, confirm that the Cert Publishers group has Read and Write permissions.
    I also installed the IIS component to get certificates over the web. I was able to get the certificate okay. But then the clients could not connect, with an error in the security log stating

    Authentication Details:
    Proxy Policy Name: Use Windows authentication for all users
    Network Policy Name: Secure Wireless Connections
    Authentication Provider: Windows
    Authentication Server: Server.domain.local
    Authentication Type: EAP
    EAP Type: –
    Account Session Identifier: –
    Reason Code: 22
    Reason: The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.

    To fix that I opened NPS and Opened Policies  Then Network Policies Open “Connections to the other access servers” On the “Contraints” tab add “Microsoft: Smart Card or Other Certificate” I also followed the advice of your article and disabled the less secure connection methods and encryption types. Then the clients could connect perfectly!

  2. Almost forgot open NPS and Policies * Then Network Policies Open “Connections to the other access servers” Open it and grant access!

  3. Hello!
    Thank you for your article, helped me to setup my Radius on a WRT600N, using DD-WRT.

    But i have a question.

    My company receives guests and sometimes, they need to access the internet.

    Using Radius, how can i do that, without the need to these guests enter in my AD Domain ?

    Thanks!!

  4. Hi Sergio,

    There are a few ways you can do this. My recommended method involves m0n0wall of pfSense to set up a captive portal.

    This way you will maintain two wireless access points (either two physical, or two virtual access points depending on what your wireless hardware supports) and leave one unsecured. You can then configure m0n0wall or pfSense to provide a captive portal on this interface which will redirect all users accessing the wireless to a web page where they will need to log in (like a wireless hotspot at a cafe, for example).

    I have been in the process of writing an article detailing this, but haven’t had the chance to finish it yet. If you Google it there should be a bit of information on it.

    The second, and easiest method is just to alter the policy on your NPS server to relax the restrictions.

  5. Nice article ………… you guide it very well……… I use this features on my pc and it work easily…………..
    Thanks for posting this article……………. It’s very helpful for me……

  6. what can i do for the creating the computer cert.
    it says you dont have permission…
    i follow the rays topic but when i click to public key services, there is nothing like his topic to click or change security settings about it.
    can you help me about it?
    p.s : i have only one server for everything. yours is just about the nps.
    ty

  7. and my ap is ap-301(airties)
    when configuring radius,i slect wpa-inter and radius ip , port,etc.. i cant select aes,(no option for selecting aes or tkip)
    if i can create the computer cert. and follow your topic , can it work with this ap? ty

  8. Did you ever got this to work with Cisco Aironet 1200. I am having problems. Any help would be appreciated.

  9. Thanks a lot for this guide. I was playing around with NPS and couldn’t get it to work, apparently my certificates weren’t working well. Can confirm if it works when I’m back home, thanks again!

  10. Mat or Ray,
    I’m trying to follow your directions and get stuck at the point I’m creating the Computer Cert. I have the problem that Ray refers to in his first post; however, when I go to Active Directory Sites and Services; Show Services Node; Services and then Public Key Services, I do not see the Certificate Service option. The options that I do see under Public Key Services are AIA, CDP, Cert Templates, Cert Authorities, Enrollment Services, KRA & OID. Does anyone know what I am doing wrong? I’m a Cisco guy and not Microsoft.
    Jeff

  11. Thanks for the write up. Wanted to post some things I found just incase it helps others.

    *My NPS server was also the Domain Controller, when I created the certificate I couldn’t create a computer certificate, I had to do another domain controller certificate, but it work for this. (good becuase I couldn’t find the folders under public key services in AD Sites and services like others).

    *I had to move the newly created network policy, to the top priority in order for things to work.

  12. I’m trying to follow your directions and get stuck at the point I’m creating the Computer Cert. When I go to Active Directory Sites and Services; Show Services Node; Services and then Public Key Services, I do not see the Certificate Service option. The options that I do see under Public Key Services are AIA, CDP, Cert Templates, Cert Authorities, Enrollment Services, KRA & OID. Does anyone know what I am missing?

    Any help would be appreciated

  13. I have set this up, and it works perfect for users computers that are already part of the domain, however, when a non-domain computer attempts to connect, it asks for the username and password, then fails? Server reports NAP error code 16. Any thoughts? Thanks!

  14. I have set this up, and it works perfect for users computers that are already part of the domain, however, when a non-domain computer attempts to connect, it asks for the username and password, then fails? Server reports NAP error code 16. Any thoughts? Thanks!
    Any Procedure for working in Non Domain Computer using NPS for Wireless….

  15. Nice guide, one which I’ll probably need to use in an upcoming setup. We’re currently using RAIDUS on a Windows 2k3 box and have two networks (different VLANs and all), one for internal users (they get the settings through GPO and certificates are used, much like in this guide) and another one for our guests.

    The problem is that our guest network always prompts for a username and password and there’s no way for the client (be it a regular PC or even more often a phone) to remember it, typing both in each and everytime a user check their e-mail is annoying.

    How could I configure our guest network to authenticate to a RADIUS running on our new Windows 2k8 R2 box, so that security is as high as possible (keep in mind phones won’t be domain joined machines) and get away with the current constant prompts for username, password.

  16. Hello, i have a windows 2008 but in my configuration i shouldn’t use certificates. I am having on logs messages ,error “The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.” on security tab and error “Negociation failed, EAP methods are not available” on the application tab

    Do you have an idea please?

  17. to yoyomeg- even if you do not use certificates, for peap you have to have a server certificate (just the server- and the cryptographic security provider should do schannel). For that you should install the role “ad cs” (with the web erollement) – it works also for stand alone cas, for not enterprise editions).
    by the way, check also the event logs from windows, like systems and applications (not just the nps event logs).
    (I am talking about 2008r2- but it is probably the same to 2008)

  18. Awesome write up, but I can’t seem to get Win7 hosts to authenticate successfully. OSX and iPhone’s can accept the cert and connect with no problem though. Getting an error in event viewer of “The Certificate chain was issued by an authority that is not trusted”.

    I’ve been researching that error with no solution yet. Any help would be awesome by someone with experience with Server 2008 RADIUS.

  19. Thanks Mat for the blog post, I had 802.1x working on my Cisco Aironet’s in the lab in about 25 minutes. Good stuff!

  20. Authentication Type: EAP
    EAP Type: –
    Account Session Identifier: –
    Reason Code: 22
    Reason: The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.

    This message – if something wrong with your Certificate Authority server

  21. Easy to follow, got it setup in about 10 minutes…………..

    Then have spent the past two days trying to figure out why I can’t get it to work. I get a these debug errors:

    1. dot11_auth_dot1x_parse_aaa_resp: Received server response: FAIL
    2. failed: by EAP authentication server
    3. (SERVER_WAIT,SERVER_FAIL)

    My AP is a Cisco AIR-AP1142N-A-K9.

    If anyone has an idea please let me know. On a side note I did get our cisco gear (routers/switches) to authenticate via Radius on this same 2008 R2 server. Just stuck on the wireless.

    P.S. I disabled all in NPS I created for the routers/switches, just in case anyone is thinking that is interfering with the wireless.

  22. Cannot Authenticate using Windows 7. Looking at logs it’s doing something. I’m using dd-wrt software for AES Authentication.

    Creating certs with no problems. Everything follow to the letter and cannot connect.

    Please Help.

    thanks,

  23. Has anyone tried this using CA on a 2003 box and NPS on a 2008 box? I can’t request a new cert on the 2003 box, so I’m not sure if this is a permissions issue or not.

    Thanks.

  24. Thanks for the NPS Wireless Guide.

    Two things:

    Make sure you use the correct certificate.
    Do not install Routing and Remote Access along with NPS.

    Best,

    Vince

  25. Hi, great post but how do I get none domain PC’s, phones and tablets to authenticate via their MAC addresses? I was hoping I could enter their MAC address somewhere and the RADIUS server would authenticate it that way.
    Cheers,
    T

  26. Best way to even more simplify procedure described in this post is to get 3rd party trusted certificate (www.startssl.com for example). That way configuring local CA is not necessary, you simply apply certificate that is already installed on server.

  27. Is a certificate needed? I have pretty much everything configured except a cert, and can’t connect my iPhone. I get prompted for usernamepassword but get told that what I enter is incorrect (even though it’s my correct domain login).

  28. How can this be configured using 3rd party certificate from Network Solutions? I’m attempting to setup in this configuration and I can’t seem to get it working. Anyone have any guidance?

  29. This was an excellent write up and got me most of the way to a working system, however in my exercise I found I had to do the following change.

    From step 4 under CA setup, I did not have the option to choose “Computer” for my certificate enrollment and did not have many viable options, probably from an order of operations during the install. To fix this (Windows 2008 R2):

    Open Certificate Authority
    -> Right click Certificate Template
    -> New
    -> Certificate Template to Issue
    -> Choose “RAS and IAS Server”
    -> Return to step 4 in the above Guide and choose the newly available template
    -> In NPS make sure to choose the certificate with the correct, and in most cases, most recent time stamp

    If you skip this step or choose the wrong certificate there will be an error in the NPS log stating that the server cannot validate that authentication type.

    **Missing cert error**
    [Reason 22: The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.]

    **Wrong cert error**
    [Reason 23: An error occurred during the Network Policy Server use of the Extensible Authentication Protocol (EAP). Check EAP log files for EAP errors.]

    Using a certificate that is generate in the above procedure works well for a domain, but if non-member computers will need to modify the network settings to ignore the certificate validity in order to connect.

    **Non-member attempt to validate**
    [Reason 265: The certificate chain was issued by an authority that is not trusted.]

    If anyone has a guide to complete the procedure with trusted certs I would love to see it.

    Thanks

  30. Follow these additional steps to apply and have clients authenticate with a GoDaddy Public SSL Certificate

    • MMC
    o Add snap-in
     Certificates
    • Computer account
    • Local Computer
    • Finish
     OK
    o Certificates
     Personal
    • Certificates
    o Right-click
    o All Tasks
    o Advanced Operations
    o Create Custom Request…
     Next
     Proceed without enrollment policy
     Next
     (no template) Legacy Key
     Next
     Details
     Properties
    • General
    o [Friendly Name for Identification]
    • Subject
    o Subject Name
     Type=common name
     Value=Server FQDN
     Add
    • Extensions
    o Key Usage
     I selected all
    o Extended Key Usage
     Server Authentication
     Client Authentication
    • Private Key
    o Key Options
     Key Size=2048
     Make private key exportable=yes
    • OK
     Next
     Save as a local File
     Format=Base 64
     Finish
    • GoDaddy.com
    o Launch the SSL Cert control panel and paste your newly created CSR from above
    o After the certificate is issued, Download it as Other from the control panel
    • Back in the MMC
    o Certificates
     Personal
    • Certificates
    o Right click
    o All Tasks
    o Import
    o Next
    o Browse to the extracted GoDaddy certificate you downloaded
    o Next
    o Next
    o Finish – (takes a moment to complete)
    • Open Network Policy Server
    o Policies
     Network Policies
    • Open the active policies for authentication
    o Constraints
     Select the EAP Types to use the certificate
     Edit
     Choose the newly available cert identifiable by the specifiec friendly name you chose above
     OK
    • Test the configuration from a wireless client that is not a member of the domain. Should connect without errors.

  31. I have this running on 2008r2 for a while. Now I tried the same on 2012 and get the following error:
    “The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.” Did someone have it running on 2012?

  32. I have created NPS server in Windows server 2008 R2 and my wireless user are able to connect to access point after use domain login credentials. I want to , connect users. After manually import the certificate in client system. Means first export certificate from server and then manually install in client system then only able to connect my Wi-Fi network through AP. Would appreciate if anybody will help me to configure the same.

  33. Hi,
    Thanks for the tutorial. I can connect my laptop but it does not get any ip.
    I was wondering how the wireless client will get the ip ? I have setup the DHCP in NPS server but it doesnot solve the issue. How to link the dhcp to radius so that wirelless client can get the ip ?
    Hope it is clear.

  34. Hi ,
    Thanks for the reply I have configured DHCP in Access point. So after authenticate user name and password AP will provide the IP to laptop.
    But my concern is that if I manually install certificate then only, user can access Wi-Fi otherwise.
    without certificate NPS server will not allow to connect the wi-fi to laptop users.

  35. You re brilliant Mat!!
    Thanks a lot, I was looking for solution to centralize our RUKUS and CISCO wifi authentication. Finally, it’s done with your help!

    Thanks again,
    Mahesh Maniyeri

  36. Cisco WLC 2504 has stopped authenticating new users to connect through Active Directory Server 2008 r2 Radius.

    Event ID is 6273
    Reason Code 8, 23 and 65.

    At Cisco Log in: “The User Name and Password combination you have entered is invalid. Please try again.”

    and in Event ID bottom is.

    The Network Access Permission setting in the dial-in properties of the user account in Active Directory is set to Deny access to the user. To change the Network Access Permission setting to either Allow access or Control access through NPS Network Policy, obtain the properties of the user account in Active Directory Users and Computers, click the Dial-in tab, and change Network Access Permission.
    Accounting information was written to the local log file.

Leave a Reply

Your email address will not be published. Required fields are marked *