Configuring RADIUS on Windows Server
Windows Server required Roles:
- Active Directory Domain Services
- Active Directory Certificate Services
- Network Policy and Access Services
- Add a RADIUS Client
Open Network Policy Server > NPS (local) > RADIUS Clients and Servers > RADIUS Client.
Now click on the menu Action > New. You will presented with a screen where you are required to enter the configuration information explained below.
Client Name:
A friendly name for the RADIUS client, which makes it easy to identify. Call this something like RiverbedWireless. Make sure you remember what you called it as you will need to enter the same name in the next section Add a Connection Request Policy.
Address (IP or DNS):
The Internet Protocol version 4 (IPv4) address or the Domain Name System (DNS) name of the RADIUS client. In case you have more than one RADIUS Client (e.g. more than one Access Point) you can also enter a network range. If your Access Points are all in a unified IP address space you can simply add the range using standard CIDR format (such as 10.10.10.0/24).
Shared secret:
Shared secrets are used to verify that RADIUS messages are sent by a RADIUS-enabled device that is configured with the same shared secret. Shared secrets also verify that the RADIUS message has not been modified in transit (message integrity). The shared secret is also used to encrypt some RADIUS attributes, such as User-Password and Tunnel-Password.
When creating and using a shared secret:
- Generate a random sequence at least 22 characters long
- Use any standard alphanumeric and special characters
- Special characters known to be working are:
,;.:^!"$%&/()={[]}?\`+~*#-_<>|
- Special characters which shouldn’t be used because they are known to be causing issues
°@§ß´'
- Make the shared secret up to 64 characters in length. To protect your NPS server and your RADIUS clients from brute force attacks, use long shared secrets (more than 22 characters)
- Change the shared secret often to protect your NPS server and your RADIUS clients from dictionary attacks
- Make note of this password for use in section Configuring RADIUS in SteelConnect
- Add a Connection Request Policy
Open Network Policy Server > NPS (local) > Policies > Connection Request Policies.
Now click on menu Action > New, then you will be presented with a screen where you have to enter the following configuration information.
Policyname:
Enter a name, in our example we have called it RiverbedWireless.
Now add the following conditions:
NAS Port Type: Wireless – IEEE 802.11
Client Friendly Name: Name of the RADIUS Client configured above (in our case RiverbedWireless)
Click Next, then hit Finish – The default settings are fine for the rest of the configuration.
- Add a Network Policy
Open Network Policy Server > NPS (local) > Policies > Network Policies.
Now click on menu Action > New, then you will presented with a screen you have to enter:
Policyname:
Enter a name, in our example we have called it RiverbedWireless.
Now add the following conditions:
NAS Port Type: Wireless – IEEE 802.11
Client Friendly Name: Name of the RADIUS Client (in our case RiverbedWireless)
Click Next until you arrive at Configure Authentication Methods and add
Microsoft: Protected EAP (PEAP) in EAP-Types.
Remove MS-CHAP authentication and just leave MS-CHAPv2 in section Less secure authentication methods.
Click Next, then hit Finish – The default settings are fine for the rest of the configuration.
Configuring RADIUS in SteelConnect Manager
In SteelConnect Manager navigate to the Site with the RADIUS Server via Network Design > Sites > RADIUS and enter your RADIUS Server IP address and password (the shared secret of the RADIUS Client you configured earlier in Configuring RADIUS on the Windows Server) using the following format:
ipaddress@password (e.g. 10.10.10.10@password)
Next add an SSID in WiFi > SSIDs and choose WPA2 Enterprise security. Then navigate to WiFi > Broadcasts to begin broadcasting the Enterprise SSID at the applicable Sites.
