Professional Documents
Culture Documents
Version1.0
TobiasRice
ThiswillbeabasicsetupusingWindows2008Servertoallowdot1xauthwithan
Arubacontroller.Stepstohaveabasicinstallationinclude:
1.
2.
3.
4.
5.
6.
Renametheserver
SettingserverasDomainController
InstallingCertificateServices
RequestCertificates(optional)
InstallingNetworkPolicyServices(previouslyIAS)
CreatingGroupPolicies
RenameTheServer
SomethingdifferentaboutWindows2008Serveristhattheservernameisauto
generatedandyouarenotgivenachanceduringtheinstalltonametheserverso
youmustdobeforeinstallingActiveDirectoryorCertificateServices.
IntheInitialConfigurationTaskswindow,clicktheProvidecomputernameand
domainlink.
EnteraComputerdescriptionandclicktheChangebuttontochangethe
computername.IllbeusingWLANDCasmynameanddescription.
EntertheComputernameandclickOKandrebootwhenprompted.
SettingServerasaDomainController
Forthisexamplewesetupanewforestforthewlan.netdomain.Server2008
abstractsmostserverfunctionintoRolessowellbeaddingtheActiveDirectory
DomainServicesRolewiththeServerManagerbyclickingRolesandclickingAdd
Roles.
SelecttheActiveDirectoryDomainServicesRole.
ClickthroughtheconfirmationscreensandclickInstall.Youshouldgetseean
installationprogressscreenandfinallyaninstallationsuccessmessagethatasks
youtorunthecommanddcpromo.exewhichwillconfigureyourdomain.Soclick
thelinktorundcpromoorclicktheStartbutton,selectRunandenter
dcpromo.exe.YoushouldnowseetheActiveDirectoryDomainServiceinstall
wizard.ClickNexttocontinue.
ChooseCreateanewdomaininanewforestandclickNext.
Forourexampledomainwellusewlan.net.ClickNextanditwillchecktoseeif
thenameisalreadyusedonthenetwork.
WhenaskedtosetwhichForestFunctionalLevelIusedthe2008level.
ThenextscreenyoullseeisawarningthattheDNSserviceisntinstallandwill
offertoinstallitforyou.JustclickNexttoacceptandinstall.
Itwilldisplaythefollowingwarning,justclickYestocontinue.
JustacceptthedefaultsandclickNext.
NowyoullbepromptedtoenteraDirectoryServicesRestoreModeAdministrator
Password.EnterapasswordandclickNext.
ClickNextattheSummaryscreen.
YoullnowseetheInstallationWizardinstallDNSandActiveDirectory.Checkthe
Rebootoncompletionboxandoncethewizardfinishesitllrebootandbeready
forthenextstep.
InstallingCertificateServices
ToenablePEAPorEAPTLSwellneedtoinstallCertificateServicestoenablea
CertificateAuthority(CA)togenerateandsigncertificatesforourdomain.Again,
addaRoleviatheServerManagerandselectActiveDirectoryCertificateServices
andclickNext.
ClickthroughtheconformationscreenandselectCertificationAuthorityand
CertificateAuthorityWebEnrollmentwhichwilltellyouthatyoullneedIIStobe
installedtousetheCertificateAuthorityWebEnrollment.ClickAddRequired
RoleServicesandclickNexttocontinue.
WhenpromptedforwhichtypeofCertificateAuthoritytoinstall,choose
Enterprise.
WhenpromptedforCAType,selectRootCAandclickNext.
WhenpromptedtoSetUpPrivateKeyselectCreateanewprivatekeyandclick
Next.
WhenpromptedtoConfigureCryptographyforCA,acceptthedefaultsandclick
Nextfortherestoftheconformationscreens.
RequestCertificates(optional)
NowthatwehaveourCertificateAuthority(CA)upandrunningwemaywantto
requestacertificateforourAuthenticationServer.
WellcreateaMicrosoftManagementConsole(MMC)thatwillallowustorequest
andinstallthecertificateforourserver.PresstheStartbuttonandenterMMCin
thecommandfieldtoopentheMMC.NextwelladdtheCertificate(ForLocal
Computer)snapinbyclickingFileandchoosingAdd/RemoveSnapin.Select
CertificatesandclickAdd.
NowbesuretoselectComputerAccountandclickNext.
ChooseLocalComputer,clickFinishandOK.
TIP:WhileyourehereyoumightaswelladdtheCertificateAuthoritysnapinand
savethisMMCtoyourdesktopbecauseyoullneeditagaininthefuture.
Torequestacertificateforyourserver(ifyoudontwanttousethedefault
certificate)expandCertificates(LocalComputerAccount),Personal,andright
clickCertificatesandselectAllTasks,RequestNewCertificate
ClickthroughtheEnrollmentscreenschoosingthesettingsyoudesireforyour
certificate.
InstallingNetworkPolicyandAccessServices
InWindows2008ServeryoucannolongerjustinstalltheInternetAuthentication
Service(IAS)andhaveRADIUSfunctionality.YoumustnowinstallNetworkPolicy
andAccessServices,whichnowincludeeverythingfromearlierversionsof
WindowsserversuchasRRAS/IAS/etc,butnowincludesNAP(thinkNACfor
Windows).WewillbeinstallingandconfiguringjustenoughtoenablePEAPand
RADIUSfunctionalitywithourArubacontroller.SoonceagainheadtotheServer
ManagerandAddaRoleselectingNetworkPolicyandAccessServicesandclick
throughtheconfirmationscreen.
SelectNetworkPolicyServer,RoutingandRemoteAccessServices,Remote
AccessServiceandRouting.ClickNext,clickthroughtheconfirmationscreen
andclickInstall.
Installationwilltakeacoupleofminutesandpresentyouwithaninstallsummery.
JustclickClose.
NowthatNPSisinstalled,presstheStartbuttonandenternps.mscinthe
commandfield.TheNPSMMCshouldopenupallowingyoutoselecttheRADIUS
serverfor802.1XWirelessorWiredConnectionsInstallationWizardfromthe
StandardConfigurationpulldownmenuandclickConfigure802.1X.
FromtheSelect802.1XConnectionsTypepage,selectSecureWireless
ConnectionsandclickNext.
FromtheSpecify802.1XSwitchesscreenclickAddandenterthesettingsfor
yourArubacontrollerandpressOK.
FortheConfigureanAuthenticationMethodscreenselectMicrosoftSmartCard
orothercertificateforEAPTLSorMicrosoftProtectedEAP(PEAP)forPEAP.I
willbeselectingPEAPforthisexampleandclickConfigure
Selecttheappropriatecertificatetouseforthisserver.Inthiscasewellusethe
WLANDC.wlan.netcertificateandclickOK.
FortheSpecifyUserGroupsscreenselecttheusersand/orgroupsyouwouldlike
toallowwirelessaccess.ForthisexampleIamallowingallofmydomainusersby
selectingtheDomainUsersgroup.IfIwanttoenforceMachineAuthenticationI
needtoaddtheDomainComputersgroupaswellascheckingtheEnforce
MachineAuthoptioninthedot1xpolicyonmyArubacontroller.ClickNextto
continue.
Note:GroupslistedhereareconsideredasanORstatement.
ForthenextscreenyoucanclickNextandFinishorclickConfiguretoadd
RADIUSattributesforServerDerivationrules.
Forexample,youmaywanttomaptheDomainUserstotheemployee_roleon
yourArubacontroller.YoucoulddothatherewiththeFilterIdattribute.
Note:ThereseemstobeabuginWindowsifyoumesswiththeseattributestoo
muchtheFilterIdattributevanishes.Ifthishappenscanceloutofthewizardand
startover.
PressNextandFinishtocompletethewizard.Thisshouldnowallowyouto
authenticateusersagainstyourWindows2008Server.Totestyourconfiguration,
sshtoyourArubacontrollerandconfigureittousethenewRADIUSserver.
(MC800)>en
Password:******
(MC800)#configureterminal
EnterConfigurationcommands,oneperline.EndwithCNTL/Z
(MC800)(config)#aaaauthenticationserverradiusnps
(MC800)(RADIUSServer"nps")#host10.1.0.236
(MC800)(RADIUSServer"nps")#enable
(MC800)(RADIUSServer"nps")#keyp@ssw0rd
(MC800)(RADIUSServer"nps")#nasidentifierArubaMaster
(MC800)(RADIUSServer"nps")#nasip10.1.0.250
Nowtesttoseeifeverythingisworkingproperly.
(MC800)#aaatestservermschapv2npstobiasqwerty12!@
Authenticationsuccessful