Thursday, December 11, 2008

Radius Server with WPA2 in 2008


In Windows Server 2003, to enable Radius authentication Internet Authentication Service needed to be installed and configured. Now in Windows Server 2008 this has been replaced by Network Policy server.

Network Policy Server

Network Policy Server (NPS) is the Microsoft implementation of a Remote Authentication Dial-in User Service (RADIUS) server and proxy in Windows Server 2008. NPS is the replacement for Internet Authentication Service (IAS) in Windows Server 2003.
As a RADIUS server, NPS performs centralized connection authentication, authorization, and accounting for many types of network access, including wireless and virtual private network (VPN) connections. As a RADIUS proxy, NPS forwards authentication and accounting messages to other RADIUS servers. NPS also acts as a health evaluation server for Network Access Protection (NAP).


Open Initial Configuration Tasks, and click Add Roles.

Select Network Policy and Access Services, and click Next.

Click Next after you have read through the Introduction.

The next screen you will be presented with is the ‘Select Role Services’. Network Policy Server needs to be selected to use any of the items. Routing and Remote Access Services is for enabling VPN termination, you may install this at the same time if you plan to run this server as a VPN server, for now it will not be installed.

Select the Host Credential Authorization Protocol, you will be prompted with a dialog box that looks a little like this:

Simply click ‘Add Required Role Services’ as all of these items are required for the sub section of this role.

Simply click next and next until you get to the Confirmation page, triple check you have all the roles selected that are required, and click install.

Once the NPS has been installed, and the server restarted Radius installation can begin.

Open the Network Policy Server from Start, Administrative Tools, Network Policy Server

Creating the Radius policy is now made easy with the Network Access Protection wizard. Simply select RADIUS server for 802.1X Wireless or Wired Connections, and click Configure NAP.

Once at this stage you will need to configure your access point as well. Each Access Point configuration varies, but you should have something like WPA2-Enterprise, once you select this you should be able to enter the IP Address of this server, and enter the secret we are about to setup. Consult your manuals or forums on locating your radius setup on your AP.

Radius works by creating a secure link between the radius server and radius client, so on the next page you must create a Radius client.

Type in a name for your client, this is purely only for the administrator as a readable name, the server uses the IP address when trying to communicate.

Pick a “secret” or password that you will enter on your Access Point, this will be how the client and server know each other and can verify the connection.

Now click next once you have created your Radius Client.

Now select Microsoft: Smart Card or other certificate, this will use any existing certificate that has been created on the server.

Now add the groups of users that you want to be allowed to access the radius authentication.

Now click next and finish, and you have created a Radius policy.

Depending on your Access Point, the configuration will be different.

But essentially you will have to configure Radius Authentication

So once you link your Access Point to the server, when you try to authenticate users they will be required to get a certificate. I'll outline out to request a certificate from the server in the next post.

Changes from 2003 to 2008

Server Manager

This is probably the largest change between 2003 and 2008, with the ability to centrally manage and control all features and roles that your 2008 Windows Server is running.

The Windows Server® 2008 operating system eases the task of managing and securing multiple server roles in an enterprise with the new Server Manager console. Server Manager in Windows Server 2008 provides a single source for managing a server's identity and system information, displaying server status, identifying problems with server role configuration, and managing all roles installed on the server.

Server Manager replaces several features included with Windows Server® 2003, including Manage Your Server, Configure Your Server, and Add or Remove Windows Components.

Server Manager also eliminates the requirement that administrators run the Security Configuration Wizard before deploying servers; server roles are configured with recommended security settings by default, and are ready to deploy as soon as they are installed and properly configured.

Roles and Features

The next main change from 2003 to 2008 is the idea of Roles and Features, like in 2003 when you went to add a windows service, Add/Remove programs was your only option. Now in Windows Server 2008 you can add services via their separate Roles and Features section in the server management.

Just like in Add/Remove Windows components, each item in Roles and Features can be ticked to install, and ‘details’ can be clicked to add more specific items to the installation.

Each section, Roles and Features, can be viewed individually via the Server Manager Console. This enables administrators to quickly and more efficiently view what has been installed and configured so they can determine if they are on the server they want to be on.

Above: Roles viewed from Server Manager

Above: Features viewed from Server Manager

Windows Firewall

Windows Server 2008 introduces a new and improved firewall; the Windows Firewall with Advanced Security. The new Windows firewall introduces many improvements and is very similar to the firewall that was included with Windows Vista. Features included with the new Windows Firewall with Advanced Security include:

  • Granular inbound access control
  • Granular outbound access control
  • Tight integration with the Windows Server 2008 Server Manager, with automatic configuration of the firewall when services are installed using the Server Manager
  • Highly improved IPsec policy configuration and management, and a name change. IPsec policies are now referred to as Connection Security Rules
  • Improved monitoring of firewall policy
  • Improved monitoring of IPsec policies (now called Connection Security Rules)
  • Improved centralized monitoring of Main and Quick Mode Security Associations