MICROSOFT NPS

Install NPS rule on active directory.

And follow these instructions.

© 2012 XIRRUS :: All Rights Reserved 1

RADIUS SERVER CONFIGURATION
• Pre-installed Assumptions
• Windows 2008/2012 Server
• Active Directory Role Installed
• Active Directory Certificate Services Installed
• Network Policy Server Installed

© 2012 XIRRUS :: All Rights Reserved 2

RADIUS SERVER CONFIGURATION
• Add Users to the Appropriate AD Groups

© 2012 XIRRUS :: All Rights Reserved 3

RADIUS SERVER CONFIGURATION
• Configure the Network Policy Server
• From the Getting Started page select “RADIUS server for 802.1X
Wireless or Wired Connections” the click “Configure 802.1X”

© 2012 XIRRUS :: All Rights Reserved 4

RADIUS SERVER CONFIGURATION
• Set Type of 802.1X connection to “Secure Wireless
Connections”
• Give the policy a name that is descriptive of the AD group the
policy will apply to and click Next.

© 2012 XIRRUS :: All Rights Reserved 5

RADIUS SERVER CONFIGURATION
• Add the arrays in your network as Radius clients and define a
shared secret. It is recommended to use the same shared secret
for all arrays. Click Next when finished
• You can add an entire subnet
using CIDR notation.
• 10.200.1.0/24 =
10.200.1.0 mask 255.255.255.0

© 2012 XIRRUS :: All Rights Reserved 6

RADIUS SERVER CONFIGURATION
• Select the EAP type –
Microsoft: Protected EAP (PEAP)
• Click Configure

• Select the certificate

issued to the server
• Enable Fast Reconnect
• Make sure “Secured
Password (EAP-
MSCHAP-v2) is added.
• Click OK then Next

© 2012 XIRRUS :: All Rights Reserved 7

RADIUS SERVER CONFIGURATION
• Add the AD Group or Groups that will apply to this policy and
click Next.

© 2012 XIRRUS :: All Rights Reserved 8

RADIUS SERVER CONFIGURATION
• Do not configure Traffic Controls for this exercise, just click
Next.
• Verify your settings and click Finish.

© 2012 XIRRUS :: All Rights Reserved 9

RADIUS SERVER CONFIGURATION
• Configure RADIUS Attributes
• Open NPS and expand the Policies section then select Network Policies

© 2012 XIRRUS :: All Rights Reserved 10

RADIUS SERVER CONFIGURATION
• Right click on the Xirrus Staff Policy and select Properties
• Click on the Settings Tab and select Standard RADIUS Attributes
• Add the following Attributes (First 2 should already exist)
• Framed-Protocol = PPP
• Service-Type = Framed
• Tunnel-Type = VLAN
• Tunnel-Medium-Type = 802
• Tunnel-Pvt-Group-ID = vlan id
that group should be placed in
• Apply and click OK

© 2012 XIRRUS :: All Rights Reserved 11

RADIUS SERVER CONFIGURATION
• Create more Radius policies for each group of users to be
supported on the wireless network
• Use the Duplicate Policy feature to copy the features of one
policy into another (Right click policy to be duplicated).
• Modify the new policy to include the proper AD group and
change the Tunnel-Pvt-Group-ID to match the appropriate VLAN

© 2012 XIRRUS :: All Rights Reserved 12

TIPS AND RECOMMENDATIONS
• Use Dynamic VLANs in any environment that utilizes WPA2
802.1X authentication
• Reducing the number of SSIDs increases wireless network
performance
• Use Dynamic VLANs in combination with Xirrus Groups for
granular firewall/QoS/Application Control features on a per
user or device basis.

© 2012 XIRRUS :: All Rights Reserved 13