Wireless Radius Authentication with Windows Server 2016

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

let's set up wireless radius authentication between wireless access point and a Windows 2016 server now this will also work on 2019 2012 and also works in 2008 but 2008 the instructions are a little bit different I'll post a link to the 2008 at the end of the video all right so we've got an ingenious wireless access point and what we're gonna do is we're gonna set up a 2.4 gigahertz SSID just for radius now we also have 5 gigahertz as well and there's no difference you can also do 5 gigahertz it's just I'm setting this up just for testing purposes only on the 2.4 so if we go to wireless here and we scroll down to our 2.4 gigahertz setting then this is where we set up our radius authentication so I've already typed in a second SSID I've got my regular SSID which says police it's just to throw people off it's not really the police and I've got my second one which is radius so you can add additional SSIDs and it doesn't matter if it's an ingenious like this one is which is a wave 2 device or if it's a Cisco or any other device you can add multiple SSIDs without messing up your original wireless so that way you can do this test or do this project without making any changes to your existing production environment alright so we'll go ahead and click on edit and we'll log in and we'll take a look at our setup so by default the security mode is going to be disabled but obviously we want it to be wpa2 enterprise so our encryption is going to be a es our group key interval defaults to 3,600 which is fine and then we've got our radius server set to the IP address of our domain controller slash radius server now in our case our radius server is the same as the domain controller in your case it may not be so if it's not just just point it towards the radius server don't worry about the domain controller that will handle be handled by the radius server itself alright so now we've got the radius port is by default UDP 1812 so you may have to make a firewall change on your Windows server just to make sure that that's open if you need to and then you've got the radius secret of course I'm using this very not secure password called password but I suggest you put in a more secure one and we're going to transfer these settings onto our radius server here shortly so now we're going to go into our server and again this is a 2016 server it's a domain controller and now it's also going to be a radius server and it's going to be a certificate authority if you already have a certificate authority in your network you don't have to do the certificate authority portion of this but if you do have one if you don't have one then you'll want to go ahead and add this as well so we're gonna check the box that says Active Directory certificate services click add feature and we're going to want to check the boxes for network policy and access server and the remote access server as well even though we're not going to really using that part of it they do work together go ahead and click Next and we'll keep going oops we got go back a little bit sorry so we do want to make this a certification Authority into our network so we'll go ahead and click Next and we'll click Next and as far as the VPN goes just check the box for direct access and VPN Raths even though we're not going to use it let's go ahead and good next and install while we're waiting we can go ahead and go into our firewall so we're going to go to our control panel by right clicking on the start button which still works in server 2016 at some point they may update that and we'll go to Advanced Settings and then we'll click on inbound rules so what we want to do is you want to create a radius rule so we'll right click on inbound rules and create a new rule choose port next UDP and we'll choose port 1 8 1 2 that's all we need for this allow the connection for all three types and we'll just call it radius rule and finish and you can see it goes to the top of our lists which is great ok so there goes that are finished we fin installation and now we can click on the little triangle here and we want to check the option for configure Active Directory certificate services so go ahead and open that and we're going to choose next I'm going to make this a certification authority next Enterprise certification authority because it's a domain if you don't have a domain controller you can choose standard it's going to be a root CA and we'll create a new private key or we can choose to use existing private key let's go ahead and create a new one and we'll choose our defaults here if you decide you want to go with the higher key length just hit the drop down and choose the next level up and we'll just double check that this looks correct yep everything is spelled right looks good next and as far as the years goes I'd like to make this 50 years so that way you don't have to worry about renewing it any time soon choose the default location and choose configure was successful so it click close and now we'll choose the network policy service so we installed the network policy service and you'll see it right there network policy and we're gonna go and do another wizard here in just a second so we're gonna choose this option where it says radius server for dial-up now if you don't see that here make sure you're checked on NPS local so we're going to choose the drop-down choose radius server for wireless and then we'll configure 802 1x we'll choose secure wireless connections next and here's where you're going to want to stop this particular configuration and go into Active Directory users and computers because it's going to want to know hey what radius clients do you want to allow so we're going to go back to the server manager and open up tools Active Directory users and computers now if your domain controller is a different server up so you're going to have to change at this point so click on computers and then we see our desktop this is the only computer that's joined to the domain besides the domain controller itself so let's go ahead and right-click and choose new and we're gonna create a group it's gonna be a security group so we'll just call it rad pcs you can call whatever you want double click on it choose members click Add and we're gonna add our computer how to choose computers from the list or won't know that's what you're trying to do and there is our desktop all right so this particular computer this PC has both a wired and wireless network card in it so we're going to connect to it remotely on the wired card but then we're going to use our radius connectivity through the wireless so that way you can see both what it is I'm doing and we can also use our wireless radius authentication so that'll make a lot more sense once we get that to that point so let's go back into our radius clients click Add and we'll just going to call this rap profile and the IP address is going to be looking for our wireless access point so I'll put in 1 9 2 1 6 8 15.5 so that's our ingenious access point let's go ahead and put in our shared secret remember it was password with a capital P and a 0 so click OK now if you have additional wireless access points you can add them here or if you have a wireless access controller that controls all the access points you can just add that IP address alone I'll go ahead and click Next and we have the option for the type of EAP and we're going to choose EEP Pete go ahead and click Next and now we have the group's let's go ahead and click Add and we'll go ahead and type in our red pcs that we created just a little while ago and then we'll check that name and it found it and we'll click Next we'll leave the control configuration alone and finish so what this did is if we expand policies is it just created a couple of policies for us it created a connection policy and a network policy so let's take a look at the connection policy first and you can see that it is a secure wireless connection policy and it's doing a wireless policy here and there's really nothing that we need to change there so we'll go ahead and click cancel so everything is good for there let's click on the network policy and you can see two policies beneath it these are for VPN and by default they're disabled so you can just leave those disabled unless of course you are also running VPN then you can configure those separately so we'll double click on our wireless connection make sure it looks good it is enabled and we'll go ahead and go to conditions and we see that our rad pcs group got added along with the wireless policy and we're also using eat peep for our EAP type and it also shows mschap too we can mschap we'll just leave those we don't really need him but we'll just leave him and we'll click ok now we're gonna go to our MPs at the top and we're going to want to choose to register the server and Active Directory so if you've never installed this before this won't be grayed out so I've installed this before so you can see it's grayed out for me but yours won't be grayed out so you just select that and then you'll choose to accept the next box that pops up and then you'll be in business so without doing that the network policy server is not going to have any authority to accept any clients so we've got to make sure that we do that all right so let's go ahead and minimize or NPS policy and now we're gonna go into group policy management so from your domain controller you got to go to tools and choose group policy management now in my case my domain controller is the same as my radius server so I'm good to go so I'm going to right click on my widget dot internal database and choose to create a GPO in this domain and link it here I'll go ahead and call it radius policy but you can call it anything you want and then I'm going to go down here to where it says security filter filtering and I'm going to add in our group make sure we change the object type to computers okay check names so we're going to be allowing all authenticated users CSA members the domain as well as the computers themselves so now we're going to right click and edit the policy and we're going to go to policies under computer configuration we're going to go to Windows settings I'll expand that and then we're going to go to security settings then we'll go to public key policies at the bottom let's go ahead and double click on the auto enrolment for the certificate services client and we'll choose to enable that and we'll also check the boxes for renew expired and update certificates nothing else needs to be checked so we'll go ahead and apply it and click OK now we'll go to automatic certificate request settings and double click on that and we'll right click anywhere in the box choose new automatic certificate request and we'll get a wizard that pops up click Next we're going to choose computer now there's four different types here you can select each one but we're going to choose computer because that's the type we need Next and finish and that's really all there is to that one and now we're going to go to the wireless network 802 11 policies which is up several boxes and we're going to right click on the right hand side again and we'll choose create a wireless network policy for Vista and later release it so that means if you've got Windows 7 Windows 10 whatever it is this is the policy for that if you have any Windows XP you can create a policy there but of course those are no longer supported so we've got our new wireless network policy we'll just call this policy but you can really call it anything you like there are no rules there get rid of our description we don't need it now we're going to add in the SSID and it's going to be the infrastructure because that's the standard type of wireless access point if you have an ad-hoc you'll know that you have that type but by default they're all pretty much infrastructure we're gonna call this the web profile and we're gonna put in the SSID and we know that's called radius 2.4 to remember them from the beginning of the video that's what we called our SSID so we'll go ahead and click Add and let's uncheck the connect to a more preferred network if available we just want to connect to this one and of course we'll connect to it when it's in range automatically click on security and make sure that we're going to be on wpa2 enterprise and AES CCMP you've got peep peep for our authentication and we're going to change our authentication mode to computers so it's only gonna be computers that are joined to the domain and then we're going to click on properties and we're going to click on connect to these servers so we're going to put in the name of our radius server so it's wind 2016 dot widget internal of course your domain is going to be different and we'll scroll down to the bottom and we're gonna choose our certificate authority so you sees two different ones there we're just gonna or three different ones that are actually we're just going to go ahead and choose the bottom one that's going to be the newest one most likely you'll only have one because you've only installed it one time I've actually installed this multiple times so I see several of them mirror there's nothing else to check so we'll just go ahead and click OK and now we'll click OK on this box and we'll apply it and click OK once again so now what happens when we have a computer that's joined to the domain that is a member of that group that we created in Active Directory we add those to the red pcs group then they will automatically get that policy applied to them so let's go ahead and switch over to our workstation and we'll try to connect now I've restarted my workstation because in order to apply a computer policy it will require a reboot if it was a user policy then we could just type gpupdate slash force but computer policies require a reboot so once that's back up we'll login we are now connected to our client computer and it's just a Windows 10 just to show you it's a Windows 10 I'll click on system and you can see it's a Windows 10 64bit nothing really special about it it is a member of the domain however all right so we'll go ahead and click on our available networks and you can see a lot of different things here but radios 2.4 is the name that I have for my SSID so you're either going to see the name of your SSID you're going to need to see this the name of your policy that the group policy that you created one of those two is going to show up for you and you're just going to go ahead and click on it and choose connect and look at that says connected and secured so let's confirm that we're connected and we're getting an IP address so we'll go ahead and type ipconfig /all so if we go ahead and go to where it says Wi-Fi what you see right here we can see we've got an IP address of dot 110 now our wired connection is set to 117 so I've got two different IP addresses the wired and the wireless and of course the wireless is being done through our radius setup that we just did so if for some reason you don't see the SSID that you're expecting then what you want to do is go to GP results slash R and make sure you're logged in as the administrator or have administrator prompt otherwise you're not going to see this correctly so if we scroll up to where it says applied group policy objects you should see that radius policy that we applied if you didn't then go back to the policy and make sure that you applied it to the correct group and that your computers a member of that group and then restart and you should see the radius policy under applied group policy objects under computer settings because remember it's a computer policy not a user policy I also promised you a link in case you're using a 2008 server and here is the link you see here at the top you can pause if you want if you don't want to type that super long link then you can just type in the name of the author is T noted Ino and I think that's how you say it and then you would just type in how to set up wireless WPA to EEP wireless and then you'll get that for 2008 so that wraps it up I assume that most of you are going to be able to get this to work properly but it only takes one little thing to have it break so if you have any problems go ahead and put it in the comment section and I'll see if I can answer those for you but hopefully good luck that you'll be able to get that to work for you and you can check out the rest of my channel we have about 3000 videos so far and Counting for various different how to most of them have to do with Windows server and networking

Info

Channel: Robert McMillen

Views: 91,731

Rating: undefined out of 5

Keywords: Windows Server 2016, windows 10, windows server, windows server 2012, r2, windows 2016, microsoft server 2016, server 2016, microsoft server, microsoft server 2012, windows 2016 server, wins server, windows server standard, hyper v server 2016, latest windows server, how to, vmware, radius, eap, peap, 801.1x, 802.11x, how to install windows server 2016, windows server 2016 basics, windows server 2016 features, windows server 2016 install, windows server 2016 tutorial

Id: dB8aH3Kysg0

Channel Id: undefined

Length: 18min 8sec (1088 seconds)

Published: Fri May 11 2018