Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

How to Configure Windows Server 2008 for Radius Authentication

 

Requirements

This configuration example uses the following devices:

  • Windows 2008 R2 as the Radius server.

  • One EX4300 switch as the authenticator. Software version: Junos OS Release 18.4R2-S3.

  • One laptop or PC running Windows 10 or MAC OS as the user.

Overview

Use this NCE to configure Windows Server 2008 to authenticate users by using the EX Series switches for PEAP authentication.

To configure Windows Server 2008 for radius authentication, you must:

  1. Configure the server:
    1. Change the computer name and IP address.
    2. Configure Active Directory Domain Services (ADDS) and add DNS server as the domain controller.

      ADDS stores information about users, computers, and other devices on the network. ADDS helps administrators to securely manage this information and facilitates resource sharing and collaboration between users. ADDS is also required for directory-enabled applications such as Microsoft Exchange Server and for other Windows Server technologies such as Group Policy.

      To ensure that you can log on to the network in case of a server outage, we recommend that you install at least two domain controllers for a domain.

      ADDS requires a DNS server on the network. If you have not installed a DNS server, you are prompted to install the DNS server role on the server.

    3. Configure Active Directory Certificate Services.

      When the user tries to connect to the network, the RADIUS server sends a certificate to the user for self authentication. To prevent users from receiving fake certificates and to ensure authenticity of the certificate and the Radius server, you should configure the server as a root Certificate Authority (CA). This allows the server to generate a computer certificate and client certificates.

    4. Install Network Policy Server (NPS).

      NPS is the Radius server that ensures the health and security of your network. NPS allows you to create and enforce organization-wide network access policies for client health, connection request authentication, and connection request authorization. With NPS, you can also enable Network Access Protection (NAP), which is a client health policy creation, enforcement, and remedial technology.

  2. Create certificates.

    These certificates are digital credentials that connect to wireless networks, protect data, establish identity, and perform network and data security related tasks. The Radius server sends these certificates to the users to verify and ensure that they are communicating with the correct Radius server.

  3. Configure NPS for EAP authetication.

    This enables NPS to authenticate users in the Active Directory.

  4. Add Radius Authenticator details.

    Radius clients allow you to specify the network access servers that provide access to your network.

  5. Create network policies for users.

    Network policies allow you to designate who is authorized to connect to the network and the circumstances under which they can or cannot connect.

  6. Add wireless users to the active directory.
  7. Export root CA from the server.
  8. Import root CA to Windows 7.
  9. Configure EX switch for the authenticator role.
  10. Select the dot1x authentication check-box for the user device to trigger the dot1x authentication with the NPS server.

Topology

In this example, EX Series switch acts as an authenticator and Windows server with NPS acts as the Radius server. Figure 1 shows the physical topology and the IP addressing scheme used in this example.

Figure 1: Radius Authentication Topology
Radius Authentication Topology

Configure Windows Server 2008 for Radius Authentication

Overview

This section shows how to configure Windows Server 2008 for Radius authentication by using NPS.

Configure the Server

Use this section to configure the Windows Server 2008.

Configure Computer Name and IP Address

Step-by-Step Procedure

  1. On Windows Server 2008, click Start > Computer, right-click on Computer, and select Properties.
  2. Click Change settings. The Computer Name/Domain Changes page opens.
  3. Enter the computer name in the Computer name field.
  4. Select Workgroup and enter the workgroup name in the Workgroup field.
  5. Click OK to save the settings.

Configure ADDS

Step-by-Step Procedure

  1. On Windows Server 2008, click Start > Administrative Tools > Server Manager. The Server Manager page opens.
  2. From the left navigation bar, click Roles > Add Roles and follow the Add Roles Wizard.
  3. On the Before You Begin page, click Next.
  4. On the Select Server Roles page, select Active Directory Domain Services and click Next.
  5. On the Active Directory Domain Services page, click Next.
  6. On the Confirmation Installation Selections page, click Install.
  7. Click Close. The Active Directory Domain Services is installed.

Add DNS Server as Domain Controller

Step-by-Step Procedure

  1. On Windows Server 2008, click Start, type dcpromo, press Enter, and follow the Active Directory Domain Services Installation Wizard.
  2. From the left navigation bar, click Roles > Add Roles and follow the Add Roles Wizard.
  3. Deselect the Use advanced mode installation check-box and click Next.
  4. On the Select Server Roles page, select Active Directory Domain Services and click Next.
  5. On the Active Directory Domain Services page, click Next.
  6. Click Next.
  7. Select Create a new domain in a new forest and click Next.
  8. Enter the domain name in the FQDN of the forest root domain field and click Next.
  9. From the Forest functional level drop-down list, select Windows Server 2008 R2 and click Next.
  10. Select DNS server and click Next.
  11. Click Yes to continue.
  12. Click Next.
  13. Enter a password in the Password field, re-enter the password in the Confirm password field, and click Next. Setting a password allows you to restore your Active Directory.
  14. Click Next. Installation begins and it takes a few minutes time to complete the installation.
  15. Click Finish.
  16. Click Restart Now to restart the server for the changes to take effect.

Configure Active Directory Certificate Services

Step-by-Step Procedure

  1. On the Windows Server 2008, click Start > Administrative Tools > Server Manager. The Server Manager page opens.
  2. From the left navigation bar, click Roles > Add Roles and follow the Add Roles Wizard.
  3. On the Before You Begin page, click Next.
  4. On the Select Server Roles page, select Active Directory Certificate Services and click Next.
  5. On the Introduction to Active Directory Certificate Services page, click Next.
  6. On the Select Role Services page, select Certification Authority and click Next.
  7. On the Specify Setup Type page, select Enterprise and click Next.
  8. On the Specify CA Type page, select Root CA and click Next.
  9. On the Set Up Private Key page, select Create a new private key and click Next.
  10. On the Configure Cryptography for CA page, click Next.
  11. On the Configure CA Name page, enter the CA name in the Common name for this CA field, enter the name suffix in the Distinguished name suffix field, and click Next.

    On this page, click Next to use the computer name and domain name as the default CA name.

  12. On the Set Validity Period page, select the validity period from the Select validity period for the certificate generated for this CA field and click Next.

    The default validity period for the root CA certificate is 5 years.

  13. On the Configure Certificate Database page, click Next.
  14. On the Web Server (IIS) page, click Next.
  15. On the Select Role Services page, click Next.
  16. On the Confirmation Installation Selections page, click Install.
  17. Click Close. The Active Directory Certificate Services and Web Server (IIS) are installed.

Install NPS

Step-by-Step Procedure

  1. On Windows Server 2008, click Start > Administrative Tools > Server Manager. The Server Manager page opens.
  2. From the left navigation bar, click Roles > Add Roles and follow the Add Roles Wizard.
  3. On the Before You Begin page, click Next.
  4. On the Select Server Roles page, select Network Policy and Access Services and click Next.
  5. On the Select Role Services page, select Network Policy Server and click Next.
  6. On the Confirmation Installation Selections page, click Install.
  7. Click Close. The NPS is installed.

Create Certificates

Use this section to create certificates.

Step-by-Step Procedure

  1. On Windows Server 2008, click Start, type mmc, and press Enter. The Console1 page opens.
  2. From the File menu, select Add/Remove Snap-in.
  3. On the Add/Remove Snap-in page, under Available snap-ins, select Certificates, click Add, and click OK.
  4. On the Certificates snap-in page, select Computer account and click Next.
  5. On the Select Computer page, select Local computer and click Finish.
  6. On the Add/Remove Snap-in page, click OK. The Console1 page opens.
  7. On the left navigation bar, under Console Root > Certificates > Personal, select Certificates to see all available computer certificates. The Intended Purposes tab on the right side space lists the Client Authentication, Server Authentication certificate.

    If you do not see the certificate listed under the Intended Purposes tab, you can create a certificate. To create a certificate, right-click on the white space and select All Tasks > Request New Certificate.

    If you do not see a certificate under Selected snap-ins, you can create a certificate:

    1. On the Add/Remove Snap-in page, under Selected snap-ins, right-click and select All Tasks > Request New Certificate.
    2. On the Certificate Enrollment page, click Next.
    3. Under Select Certificate Enrollment Policy, select Active Directory Enrollment Policy and click Next.
    4. Click Finish. Certificate installation is complete.

Configure NPS for EAP Authentication

Use this section to configure NPS for EAP authentication.

Step-by-Step Procedure

  1. On Windows Server 2008, click Start > Administrative Tools > Network Policy Server. The Network Policy Server page opens.
  2. Click NPS (Local) and select Register Server in Active Directory.
  3. Click OK.
  4. Click OK.

Add Radius Authenticator Details

Use this section to add the IP address and the shared secret that are configured on the EX4300 switch.

Step-by-Step Procedure

  1. On Windows Server 2008, click Start > Administrative Tools > Network Policy Server. The Network Policy Server page opens.
  2. Click NPS (Local), expand RADIUS Clients and Servers, right-click on RADIUS Clients, and select New.
  3. On the New RADIUS Client page, under Settings, enter a name in the Friendly name field and IP or DNS address in the Address field. Enter a password in the Shared secret field and re-enter the password in the Confirm shared secret field. The Radius client is added.

Create Network Policies for Users

Use this section to create network policies for users.

Step-by-Step Procedure

  1. On Windows Server 2008, click Start > Administrative Tools > Network Policy Server. The Network Policy Server page opens.
  2. Click NPS (Local), expand Policies, right-click on Network Policies, and select New.
  3. On the New Network Policy page, enter a policy name in the Policy name field, select Type of network access server, select Unspecified from the drop-down list, and click Next.
  4. On the Specify Conditions page, click Next.
  5. On the Specify Access Permission page, select Access granted and click Next.
  6. On the Configure Authentication Methods page, under EAP Types, click Add.
  7. On the Add EAP page, under Authentication methods, select Microsoft: Protected EAP (PEAP), and click OK.
  8. Under EAP Types, select Microsoft: Protected EAP (PEAP), click Edit, and click Next.
  9. On the Edit Protected EAP Properties page, select the certificate from the Certificate Issued drop-down list, select the required certificate, and click OK.
  10. On the Configure Authentication Methods page, click Next.
  11. On the Configure Constraints page, under Constraints, select Idle Timeout, and click Next.
  12. On the Configure Settings page, under Settings > RADIUS Attributes, select Standard, and click Next.
  13. Click Finish. The policy for user is created.

Add Users to the Active Directory

Use this section to add users to the active directory.

Step-by-Step Procedure

  1. On Windows Server 2008, click Start > Administrative Tools > Active Directory Users and Computers. The Active Directory Users and Computers page opens.
  2. Under Active Directory Users and Computers > Domain-name, right-click on Users, and select New > User.
  3. Enter username and password.
  4. Create user and click Finish. Users are added to the active directory.

Export CA Root Certificate from the server

Use this section to export CA root certificate from the server.

Step-by-Step Procedure

  1. On Windows Server 2008, click Start, type mmc, and press Enter. The Console1 page opens.
  2. From the File menu, select Add/Remove Snap-in.
  3. On the Add/Remove Snap-in page, under Available snap-ins, select Certificates, click Add, and click OK.
  4. On the Certificates snap-in page, select Computer account and click Next.
  5. On the Select Computer page, select Local computer > Trusted Root Certification Authorities > Certificates . On the right-side space, your root CA certificate is listed.
  6. Right-click on your root CA certificate and select All Tasks > Export. Follow the Certificate Export Wizard and click Next.
  7. On the Export Private Key page, select No, do not export the private key and click Next.
  8. Select the DER encoded binary X.509 (CER) file format and click Next.
  9. Choose a folder and file name and click Next and click Finish to complete the export.
  10. Copy the certificate that you have exported to a USB drive or any other storage device and transfer the certificate to your Windows client.

Import CA Root Certificate to Windows 7

Use this section to import CA root certificate to Windows 7.

Step-by-Step Procedure

  1. Double-click on the certificate file that you exported on your Windows 7 computer and click Install Certificate.
  2. Click Next.
  3. Select the Trusted Root Certification Authorities tab and click Import.
  4. In the Certificate Import Wizard, click Finish. A security warning message is displayed that you are about to trust a new root certificate. Click Yes to continue. The CA root certificate is imported on Windows 7.
  5. Add this certificate in the Windows registry.
    1. On Windows Server 2008, click Start, type cmd, and press Ctrl+Shift+Enter. A command prompt with administrative rights opens.
    2. Enter Desktop>certutil -f -enterprise -addstore NTAuth <certificate-name>

Configure EX Switch for the Authenticator Role

Use this section to configure EX switch as an authenticator.

User facing interfaces should be enabled for dot1x. The device being authenticated must be reachable by the RADIUS server so that EAP frames can be processed.

Step-by-Step Procedure

  1. Configure the EX switch:
    user@host# set access radius-server server-ip port 1812 secret secret-password
    user@host# set access profile dot1x authentication-order radius
    user@host# set access profile dot1x radius authentication-server 192.0.2.1/24
    user@host# set protocols dot1x authenticator interface ge-0/0/46 supplicant single
    user@host# set interfaces ge-0/0/0 unit 0 family inet address 192.0.2.1/24
  2. Verify the configuration:
    user@host# run show dot1x interface

    For example:

    root@EX4300# run show dot1x interface

Enable dot1x client for Dot1x

Step-by-Step Procedure

  1. On the user device, click Start, type services.msc, and press Enter. The Wired AutoConfig page opens.
  2. Right-click on Wired AutoConfig and select Properties. The Wired AutoConfig Properties page opens.
  3. From the Startup type drop-down list, select Automatic, click Start, and click OK.
  4. On the user device, click Start > Control Panel.
  5. Double click on Network and Sharing Center and click Change adapter settings.
  6. Right-click on Local Area Connection and select Properties. The Local Area Connection Properties page opens.
  7. Click Authentication tab and complete the following:
    1. Select the Enable IEEE 802.1x authentication check-box.
    2. From the Choose a network authentication method drop-down list, select Microsoft Protected EAP (PEAP).
    3. Click Settings. The Protected EAP Properties page opens.
    4. Select the Verify the server’s identity by validating the certificate check-box, select Secured password (EAP-MSCHAP v2) from the Select Authentication Method drop-down list, and click Configure.

      If this is a Domain Computer, select the Automatically use my Windows logon name and password (and domain if any) check-box.

    5. Click OK to return to the Ethernet Properties page and click Settings.
    6. Click OK to return to the Ethernet Properties page and click Additional Settings.
    7. Select the Specify authentication mode check-box and select User authentication from the User or computer authentication drop-down list. Click OK.
  8. Click OK on the Ethernet Properties page to finish the dotx configuration. You are now ready to connect to the network using PEAP.