using windows 2008 with aruba2 - airheads...
TRANSCRIPT
UsingWindows2008WithArubaControllersVersion1.0
TobiasRice
ThiswillbeabasicsetupusingWindows2008Servertoallowdot1xauthwithanArubacontroller.Stepstohaveabasicinstallationinclude:
1. Renametheserver2. SettingserverasDomainController3. InstallingCertificateServices4. RequestCertificates(optional)5. InstallingNetworkPolicyServices(previouslyIAS)6. CreatingGroupPolicies
RenameTheServerSomethingdifferentaboutWindows2008Serveristhattheservernameisauto‐generatedandyouarenotgivenachanceduringtheinstalltonametheserversoyoumustdobeforeinstallingActiveDirectoryorCertificateServices.
Inthe“InitialConfigurationTasks”window,clickthe“Providecomputernameanddomain”link.
EnteraComputerdescriptionandclickthe“Change…”buttontochangethecomputername.I’llbeusingWLAN‐DCasmynameanddescription.
EntertheComputernameandclick“OK”andrebootwhenprompted.
SettingServerasaDomainControllerForthisexamplewesetupanewforestforthewlan.netdomain.Server2008abstractsmostserverfunctioninto“Roles”sowe’llbeaddingtheActiveDirectoryDomainServicesRolewiththeServerManagerbyclicking“Roles”andclicking“AddRoles.”
SelecttheActiveDirectoryDomainServicesRole.
ClickthroughtheconfirmationscreensandclickInstall.Youshouldgetseeaninstallationprogressscreenandfinallyan“installationsuccess”messagethatasksyoutorunthecommand“dcpromo.exe”whichwillconfigureyourdomain.Soclickthelinktorun“dcpromo”orclickthe“Start”button,select“Run”andenter“dcpromo.exe”.Youshouldnowseethe“ActiveDirectoryDomainService”installwizard.Click“Next“tocontinue.
Choose“Createanewdomaininanewforest”andclick“Next”.
Forourexampledomainwe’lluse“wlan.net”.Click“Next”anditwillchecktoseeifthenameisalreadyusedonthenetwork.
Whenaskedtosetwhich“ForestFunctionalLevel”Iusedthe2008level.
Thenextscreenyou’llseeisawarningthattheDNSserviceisn’tinstallandwilloffertoinstallitforyou.Justclick“Next”toacceptandinstall.
Itwilldisplaythefollowingwarning,justclick“Yes”tocontinue.
Justacceptthedefaultsandclick“Next”.
Nowyou’llbepromptedtoentera“DirectoryServicesRestoreModeAdministrator
Password”.Enterapasswordandclick“Next”.
Click“Next”attheSummaryscreen.
You’llnowseetheInstallationWizardinstallDNSandActiveDirectory.Checkthe“Rebootoncompletion”boxandoncethewizardfinishesit’llrebootandbeready
forthenextstep.
InstallingCertificateServices
ToenablePEAPorEAP‐TLSwe’llneedtoinstallCertificateServicestoenableaCertificateAuthority(CA)togenerateandsigncertificatesforourdomain.Again,addaRoleviatheServerManagerandselect“ActiveDirectoryCertificateServices”
andclick“Next”.
Clickthroughtheconformationscreenandselect“CertificationAuthority”and“CertificateAuthorityWebEnrollment”whichwilltellyouthatyou’llneedIIStobeinstalledtousethe“CertificateAuthorityWebEnrollment”.Click“AddRequired
RoleServices”andclick“Next”tocontinue.
WhenpromptedforwhichtypeofCertificateAuthoritytoinstall,choose“Enterprise”.
WhenpromptedforCAType,select“RootCA”andclick“Next”.
WhenpromptedtoSetUpPrivateKeyselect“Createanewprivatekey”andclick“Next”.
WhenpromptedtoConfigureCryptographyforCA,acceptthedefaultsandclick“Next”fortherestoftheconformationscreens.
RequestCertificates(optional)
NowthatwehaveourCertificateAuthority(CA)upandrunningwemaywanttorequestacertificateforourAuthenticationServer.
We’llcreateaMicrosoftManagementConsole(MMC)thatwillallowustorequestandinstallthecertificateforourserver.Pressthe“Start”buttonandenter“MMC”inthecommandfieldtoopentheMMC.Nextwe’lladdtheCertificate(ForLocalComputer)snap‐inbyclicking“File”andchoosing“Add/RemoveSnap‐in”.Select
“Certificates”andclick“Add”.
Nowbesuretoselect“ComputerAccount”andclick“Next”.
Choose“LocalComputer”,click“Finish”and“OK”.
TIP:Whileyou’rehereyoumightaswelladdthe“CertificateAuthority”snap‐inandsavethisMMCtoyourdesktopbecauseyou’llneeditagaininthefuture.
Torequestacertificateforyourserver(ifyoudon’twanttousethedefaultcertificate)expand“Certificates(LocalComputerAccount)”,“Personal”,andright‐click“Certificates”andselect“AllTasks”,“RequestNewCertificate…”
ClickthroughtheEnrollmentscreenschoosingthesettingsyoudesireforyourcertificate.
InstallingNetworkPolicyandAccessServices
InWindows2008ServeryoucannolongerjustinstalltheInternetAuthenticationService(IAS)andhaveRADIUSfunctionality.YoumustnowinstallNetworkPolicyandAccessServices,whichnowincludeeverythingfromearlierversionsofWindowsserversuchasRRAS/IAS/etc,…butnowincludesNAP(thinkNACforWindows).WewillbeinstallingandconfiguringjustenoughtoenablePEAPandRADIUSfunctionalitywithourArubacontroller.SoonceagainheadtotheServerManagerand“AddaRole”selecting“NetworkPolicyandAccessServices”andclickthroughtheconfirmationscreen.
Select“NetworkPolicyServer”,“RoutingandRemoteAccessServices”,“RemoteAccessService”and“Routing”.Click“Next”,clickthroughtheconfirmationscreen
andclick“Install”.
Installationwilltakeacoupleofminutesandpresentyouwithaninstallsummery.Justclick“Close”.
NowthatNPSisinstalled,pressthe“Start”buttonandenter“nps.msc”inthecommandfield.TheNPSMMCshouldopenupallowingyoutoselectthe“RADIUSserverfor802.1XWirelessorWiredConnections”InstallationWizardfromthe
“StandardConfiguration”pull‐downmenuandclick“Configure802.1X”.
Fromthe“Select802.1XConnectionsType”page,select“SecureWirelessConnections”andclick“Next”.
Fromthe“Specify802.1XSwitches”screenclick“Add…”andenterthesettingsforyourArubacontrollerandpress“OK”.
Forthe“ConfigureanAuthenticationMethod”screenselect“MicrosoftSmartCardorothercertificate”forEAP‐TLSor“MicrosoftProtectedEAP(PEAP)”forPEAP.I
willbeselectingPEAPforthisexampleandclick“Configure…”
Selecttheappropriatecertificatetouseforthisserver.Inthiscasewe’llusethe“WLAN‐DC.wlan.net”certificateandclick“OK”.
Forthe“SpecifyUserGroups”screenselecttheusersand/orgroupsyouwouldliketoallowwirelessaccess.ForthisexampleIamallowingallofmydomainusersbyselectingthe“DomainUsers”group.IfIwanttoenforceMachineAuthenticationIneedtoaddthe“DomainComputers”groupaswellascheckingthe“EnforceMachineAuth”optioninthedot1xpolicyonmyArubacontroller.Click“Next”tocontinue.
Note:GroupslistedhereareconsideredasanORstatement.
Forthenextscreenyoucanclick“Next”and“Finish”orclick“Configure…”toaddRADIUSattributesforServerDerivationrules.
Forexample,youmaywanttomapthe“DomainUsers”tothe“employee_role”onyourArubacontroller.Youcoulddothatherewiththe“Filter‐Id”attribute.
Note:ThereseemstobeabuginWindowsifyoumesswiththeseattributestoomuchthe“Filter‐Id”attributevanishes.Ifthishappenscanceloutofthewizardandstartover.
Press“Next”and“Finish”tocompletethewizard.ThisshouldnowallowyoutoauthenticateusersagainstyourWindows2008Server.Totestyourconfiguration,sshtoyourArubacontrollerandconfigureittousethenewRADIUSserver.
(MC800)>en
Password:******
(MC800)#configureterminal
EnterConfigurationcommands,oneperline.EndwithCNTL/Z
(MC800)(config)#aaaauthentication‐serverradiusnps
(MC800)(RADIUSServer"nps")#host10.1.0.236
(MC800)(RADIUSServer"nps")#enable
(MC800)(RADIUSServer"nps")#keyp@ssw0rd
(MC800)(RADIUSServer"nps")#nas‐identifierAruba‐Master
(MC800)(RADIUSServer"nps")#nas‐ip10.1.0.250
Nowtesttoseeifeverythingisworkingproperly.(MC800)#aaatest‐servermschapv2npstobiasqwerty12!@
Authenticationsuccessful