Windows NPS (RADIUS) with Cisco and Meraki Wireless

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello everybody and welcome today we're going to be looking at setting up a cisco wireless lan controller and a meraki cloud-based access point all using radius or using microsoft windows 2016 server so the first thing we need to do is actually set up the 2016 server so i've got the 2016 server here on my main screen so we need to log in all right now the biggest thing i've made the font nice and big so i hope it will sharpen the recording the most important thing is that to note in fact i'll bring this up just quickly just to show you that this server needs certain roles and responsibilities as part of it now i could you could probably get away with this server just being a member server of domain but it must have legitimate domain wide credentials as far as certificates go because one of the correct one of the key authentication processes we're going to use requires a certificate so i made this a domain controller and i installed certificate services just for the sake of it but if this if you had a full-blown domain or ready to go this can be a standalone server you just have to go to your certificate authority person or do it yourself if you know what you're doing and actually get that proper certificate onto your system because it needs to be the certificate i'm pretty sure that certificate is the most important part of it you can see here that i've got active directory domain services installed and certificate authority installed and like an idiot i left the name a stupid rando ip address before i sent the certificate and i can't change it anymore so you're going to see when we start doing certificates that has got a silly name so i apologize for that but the next thing i did so i installed directory services and i made a certificate authority so it has a certificate and then i installed nps the the network policy server from microsoft and this is the key to setting up your radius server so here it is here i've got it on the desktop so i just double click on the network policy server and i've i've made the font size big so hopefully it's easy to react so there's multiple parts to this we have got the radius clients and services and we've got the policies so the way radius seems the way you've got to remember the right radius works is that your devices form a relationship with the server so therefore the server has to communicate securely with the devices and the devices need to need to communicate securely with your server so we put constraints and restraints around that so the first thing we're going to do is we're going to add a new client now in the real world what we would do is if we had some controllers we'd put in their ip addresses if we had a bunch of access points we'd put in the individual ip addresses or if you had like 300 access points on a couple of subnets you just you just put in those one subnets and you actually create multiple groups so you make sure that everything's secured if anything goes haywire you can actually remove just one client so if i was doing this properly i put in at least three or four different clients and say this is my cisco wireless and control this is a range of meraki controllers this is my routers these are my switches i put in multiple sets of clients but i'm feeling a bit lazy so i'll put in just one group and i'm going to put in a wild card because i know that all the networks i've set up here as of as you'll see in the diagram when i show do that in a minute that they're all 192.168.something.com now we put in a secret key it's our super secret key that we always use now if you've got a really really ridiculous crazy super secret key that maybe you're not even meant to know you can someone else an administrator can set up a policy so you say use security policy key 7 for example you don't know you don't know what it is you can't find out what it is because someone else has locked it down but that's what this field is and we're going to say okay so now we've said that devices are going to come to you from 192.168.0.0 and they're going to use this key so the second thing we need to do is we need to set up the connection profiles so we go into here connection profiles and there's always one there's all the default ones so we have to create a new one so we right click and we go new and we'll call it um cisco and we say unspecified because it's not actually doing any kind of specification click and the conditions because remember this is a policy center and everything's based on policy and how do we write policies we write policies based on conditions restraints but for this one we just want anyone while so look we've got username we've got ip address we've got all this sort of stuff but we don't none of this is none of this is super important we can have different vendors but we're going to come all the way down here to the bottom one and go nas type and we're going to click on wireless now according to all the instructions i've read this is enough but some different people disagree and they say you know what there's also this extra setting called wireless other because sometimes different controllers and different access points something a little bit different so we say we're going to say both just to both the wireless ones so there we have our nas port wireless and we click next and we'll we don't do authentication here because we're gonna do authentication in the in the next step and we click next and click next and we say finish so this one policy whoops oh and we want to move to the top two so this one policy just got one setting you just make sure that the calling station that the client is trying to connect to the server is using one or one or one of these one or both of these two now here's where we create the policies so once again there are some default policies so we right click we say new and what we'll do is we'll make two policies because i want to show you the power of the way we're setting this up so let's make a default whoops default all users policy i'm a bit of an old school i like the word policy my policy statements i know they probably don't need to but they might so default all use a policy we go next now once again we need a set of conditions so the first conditions we want to put is look here we've got some groups now i've actually gone to the trouble of creating three users bob frank and steve now all three of those users are in domain users but only steve is in a special group so we'll just we'll add domain users because that is what we want to do so this is that classic finder group thing so if we just go to domain users click check names domain users is done so that's our domain users so this is the first condition for this group is it has to be domain users now the second now we want to say access because you could also work backwards you could create a whole group of users in here and have a policies don't allow access oh we're going to say we're going to say hello now we want the authentication types now we've got smart card or certificate pete or ms chap smart card certificate's a bit annoying to set up on the two wireless devices i'm gonna play with today so we'll just set up p and we'll just use ms chap as a fallback now here's the killer you may have noticed or you probably didn't notice that they added just fine whereas the first time i tried this they broke because if you look inside peep and i go edit it is bound to this certificate this certificate so only certificate on the whole box and i had to create this using the certificate authority function so if you haven't got this magical certificate already on your windows server this isn't going to work and this is what i accidentally did last year i forgot about the certificate and i thought i could bluff it and it didn't work and it was really embarrassing but now this is critical gotta have a certificate and i'm pretty sure that's that's just that's just it's because it's a microsoft version so people's people's was probably gonna use and this is the second one and i think we undertake the chat because we don't watch out we just want these it's pretty much going to use those two there we go next now we won't worry anything about the time constraints but you could have time in here you could have time a day in fact what we'll do after this after we've got it working is we'll test that out and the last thing we need to do is you have to add some radius specific um criteria so we go add and the ones we want to write down the bottom and they're in the tunnel section so the first one is the tunnel medium type where's that m whoops tunnel medium type we've got add there we go add and there's there's only a few options there's literally only one option i don't know why that's not the default but let's click there so that's set and the second one we need to add is the tunnel type itself tunnel type and once again it needs to have a value inside it and this is going to be all right wrong one sorry freelance because we're going to use vlans and i'll show you what we're going to set up in a minute so we click okay and we click next oops sorry close so we've got the tunnel medium type is that one and the tunnel type and we click next now click finish so now once again we need that at the top so we go top top so let me just scroll down here and check my cheat notes and make sure that it's got all the stuff that i want oops if it's always something that i can't swallow no that's good to go that's everything with it all right so now we've set up a policy we'll set up a simple policy so let us now go to our wireless wildland controller it's probably logged me out no it hasn't logged me out now right now i've only got one ssid and that's appreciated king so we're going to add a new one so we're going to create a new wireless thing controller we're going to call it this one because it's got a silly name because why not so the names are fun and three so it stands for network lunchbox c for cisco and the line cube so i'm going to apply now we're going to put this on vlan uh 40 to begin with because we'll assume that you're just a normal generic student now under security we're going to say we're going to we're going to say attitude at 1x which is the default that's fine but more importantly oh sorry i forgot a step we have to we have to add the service first so we're going to go to security so over here we have our aaa settings so we have to actually add that radius server because maybe we added it on the server and now we're going to add it on the controller so radius authentication we go new we go 102 168.80.20 and we put in the lovely shared super duper duper secret obviously i can't type now ah there we go remember i said before about the port numbers so this is 1812 this is what this port expects to be i'll click apply and i'll just add accounting as well i haven't played much with accounting but we'll put it in anyway and that way if we can get accounting to give us anything i haven't on other controls that i've used in the past the the clearpass and cisco ic account has been easy to find but i've never looked for it on windows so maybe we'll look for that as well all right so let us actually just make sure that it's happy it's a little ping button over here so we got ping success all right so the controller can see this um [Music] radius box so we go back to all right so the the authentication server is set up so we'll go back to wireless because that's only oh sorry go back to wlan's that's only half done so we want the one x and we need to come into come on don't do this so security triple a servers and hit now now that the boxes are good to go so now we've actually set up to say when you do authentication we want you to use this is your first preference of server and look look you got up to six servers and just to make things a bit slicker i'm going to get rid of those two authentication methods so it's not even going to try local it's not even going to try ldap this is going to straight up use radius so let's trickle triple check we've got ages of one x as our policy number three is none and we've got our address and we're gonna click apply all right so that should be good to go so i go bring up my little camera tool so we want the c cisco.net1q that's the first one all right now we're gonna use a name now let's put in frank because we like frank so we go frank and we've been in frank's super secret pass we click join now this is really important notice here that we're getting a certificate pushed back at us and this is the dodgers certificate i made it's a self-signed certificate so it's it's not trusted but you can see that at least it's certificate so in the real world what you would do is you would actually go to the trouble and buy a real certificate and put it on the controller and when you put a real certificate on the controller this step doesn't you don't get asked because your your ios automatically trusts the certificate all right and it's thinking about joining thinking about it thinking about please don't embarrass me excellent big green tick and click on information and we're on vlan 40. remember how we said we're going to put this on vlan 40 sorry about plants vs zombies 2. so i'll use my other hands to stop getting in front of the screen so this is on vlan 40 102 168.40.30 and that's great so let's forget this network again forget now we have um we've got another user in our in our business called steve so frank is a student we don't care much about frank frank and being on student so we're going to log in now as cisco again we're going to log in this time of stay and we're going to log in again steve add min pass super secret password join same again every time you connect see every time you connect you get challenged but that's civilians that can be really annoying really fast so we have logged in as steve now steve's a bit more important oh look steve's still on vlan 30 as well there must be something we can do right there must be something exist so let's forget that network and let's now let's now make steve let's now make steve super special so let's get back to the windows uh this one where is it this one now let's make a policy for steve because we want steve to be awesome so we're going to make a new policy so you know what let's make our life a hell of a lot easier and let's copy the existing policy because resistance policy is good so we're going to duplicate this policy kapow now let us let us just add something a bit interesting so let's call this default let's call this um user policy for special users [Music] i don't know what now conditions let's not make it the main users because i've got steve and i've gone to the trouble of putting steve in a special group a special group called wi-fi uh i think it's called wi-fi users soon find out in a minute if i've done it right oh what's it called let's wi-fi something that's wi-fi start i think let's see what did i call it yeah i call it wi-fi staff so i've made a special group called wi-fi staff and only steve is the only member so now it's wi-fi staff now constraints are the same we want all the same authentication but now under settings we're going to go a little bit more funky and we're going to add an extra field and you might think to yourself well this is what the hell is just going to add now well we are going to add tunnel group id and we are going to say we need to put in the numerical value so we are going to put in 70 because we want steve we like steve and we want steve to be on vlan 70. so now we have the same things we've got tunnel medium type we've got a ton of private group type but now we have so tunnel type tunnel medium type and now we have tunnel pvt group id apply now here's a very important step notice that this is done in order so because steve is special we need to move him to the top move move move so now this group is checked first so it will check for any members of the group wi-fi staff if you're not in that group then we'll do the second policy so let's now let's now bring back up bring back up steve being nice to me today i know we're still on vlan there's something we've forgot let's look at this so if you know 40 that's correct 140. we have to go under here in advance here is the boss of all bosses because the radius server is pushing back a value but our security policy on the controller is ignoring that so we're going to tick this box and say you know what if the aaa server has something interesting that wants to give us we're going to accept that information so we click apply and apply so so theoretically now if i forget this network and rejoin it yes the demo gods are being nice to me today so because we've gone to the radius server and we've added steve's group and said if you're part of steve's group make you go into vlan 70 instead and we've trusted that setting from the radius server it's now pushing out so we are now using a windows based server we're just setting up a bunch of groups and based on those bunch of groups we can now populate different users on different vlans now you might think josh well this what are you doing what a waste of time no because how many ssids have we created one remember more ssids slower network if you've got seven ssids that's that's too much junk in the air don't have seven vlans and seven srds have one ssid with seven vlans just have the back end do all the magic for you so just by way of comparison let's have a look at how fear how it looks on the meraki side of things so here's the meraki dashboard and i've got this ssid that i was playing around with i'm going to completely change it so we're going to edit we don't want to use um oh no first of all sorry let's let's rename it because that names that names we'll rename it and we'll call it meraki.1.1x this time so it's going to be going to be the meraki we're going to make a marachi.onex exactly the same thing so we're going to edit settings now currently set depreciate key we don't want that we want radius error now there is a meraki cloud authentication but like i said before i'm not that big a fan of it because i don't know that i trust my my radius communications going off to the cloud back again so we're going to use a local radius server obviously we're using windows today because it's quick and cheap and fast and easy but if you've got the money definitely look at ice ise or aruba clear pass because they have os version time of day physical location mac address or manufacture code and multiple forests not just one active directory multiple forests security groups anything anything you can imagine but we're just doing stuff so we're just doing this um slowly and quietly so we want a radius server so we scroll down a little bit and we find the radius seven here it is i've already played around configuring it and we go test so let's test with frank because we know frank works go begin now i've got three of these meraki access points but one of them isn't plugged in at the moment so that's why we always get this lag because otherwise it would instantly check all of them straight away so three ops one past one five one original but the one that passed is the key because look at all this stuff here that has come back from the controller let's look at what let's look what happens if i change frank's username to something that doesn't exist at all we should get an error [Music] there you go i mean it it's got nothing so it's no good now on my turn so now just just by way of comparison we'll do frank again just so that i can get a good clean screenshot of this so we've got all of this lovely data this has been pushed back from the radius server but notice it didn't really use any attributes it just said yes we you're happy we're going to use you by way of contrast let's see what happens if we do steve because remember we created that second group of stick this is why i love the meraki because this testing engine saves your bacon ah look what happened now we have got back something that this meraki cloud is happy with and understands and the most important thing is this number here vlan 70. so now we've proved that not only can we communicate with the radius server but he's giving us back a value so i'm going to save this just because i don't want to lose anything so we scroll back down the bottom here so there's our radio server now this is what's important as well is i've set up this access point bridging but it's set up as a trunk so for the cisco it's not a truck it's a single access and all of the everything goes inside the cap web tunnel so it goes through the air through the access point through the cap up tunnel to the controller then the controller spits it down to whatever vlan needs to be on but the meraki doesn't work like that the meraki is a autonomous access point that's cloud managed so i've run a trunk with all the vlans up to this access point and i've said that if you join that it uses trunking and i've said when you join this meraki access point you are dumped on vlan 30. so let's actually try that now to make sure that everything works so i've saved that i'll save it again just just just a bit just to be sure that warning is because i've got to appreciate keep this appreciate my piece of junk so let's bring this back up again the m for meraki is going to let us join in and we got a big tick so we tap this bad boy vlan 30 fantastic now so this works so we're on now this is something i changed ahead of time and i was hoping to that it wouldn't work so i'd change it to show you that it does work but it's because i saved it previously and then i reverted it it's remembered this is the setting this is the same setting as in cisco land radius override ignore what the radius says or trust what the radius says so if i forget this network again and we go info bank 70 because once again we've told we've told the so vlan 70 because we've told the meraki that if the radius server goes to all the trouble of actually giving us some vlan information we are going to trust that vlan information so let's have a quick double check back at the server to make sure we're happy with everything we've seen so this is the this is the relationship between us and the server the clients so the server's got appreciate key then we have a pro a simple request to say the type of authentication request you're going to receive are wireless we can still use this same server and the same groups and do switch and router authentication we just have to add another connection policy request to say you know you're going to get radius from a switch this time not a wireless thing and then we have the policies so the default policy was simple we just had domain users simple authentication good authentication i should say and just generic values that may or may not even need to be there it still will work and then for the special users we had a different group and we pushed an extra value back at them to say 70. oh what's that saying oh that's a chat domain so that's user see it it reached in it reached in and it got the username well there you go see client ip address it did it is in there remember i said look for client ip address client ip address data or maybe the data type three is important so so [Music] client ip address access client my pages so it's definitely it's definitely there because remember because it's coming that that's the information i was trying to check because that is what is being pushed back as being on the intermediary so that's the rule that's the profile um that's steve again for user policy blah blah blah so absolutely so it's called all right so maybe windows doesn't understand this string client ip address maybe that's maybe that's my problem because i've got i've got access client address i've got a client friendly name where is it client oh it was there all right so we'll get rid of these because they're obviously doing nothing all right so now and this one you can go to [Music] all right so now we want to see if steve goes on a v150 and if he does then that's awesome that means you can do apart from you could probably do manufacture codes as well if you're super brave demo god's gonna be nice to you okay i can die happy now there you go so you can now use a single because the question in the chat was how do you do centralized radius well this is how you have a centralized radio server and you've got three different sites you put in your restrictions of the client ip to say when these guys ask me put them on this vlan when those guys ask me put them on a different vlan so there you go all right i'm going to screenshot that because that's awesome i'm super pumped that that worked because i was i thought it was possible but i didn't realize how awesomely possible it is oh thank you thank you um all right well i've i mean i've i've pushed this demo pretty much as far as i want much further than i wanted to so if you wanted to um oops sorry wrong one i need now i need this one click here click here so thanks for watching please remember to subscribe click the notification bell if you enjoyed this video give me a thumbs up and leave me a comment with what you'd like me to make for my next video i'll see you in the next one

Info

Channel: Network Lunchbox

Views: 2,946

Rating: 5 out of 5

Keywords: cisco, ccna, networking, tacacs, radius, wlc, lwap, lwapp, meraki, nps

Id: Iput9nLnldA

Channel Id: undefined

Length: 32min 36sec (1956 seconds)

Published: Mon Aug 17 2020