If you have a Ubiquiti wireless network and want the users to authenticate to it using their Active Directory username and password – this guide is for you. I didn’t find a proper guide for this so decided to write my own.
This guide helps you configure the NPS (Network Policy Server) on Windows 2012 R2 as a RADIUS server for your wireless network to perform PEAP-MS-CHAP v2 authentication (that is, username and password from Active Directory) and using 3rd party CA certificate on the NPS server instead of using a private CA. I will be using Ubiquiti UniFi AP access points but I assume you can use any wireless solution. This was a replacement for an older Elektron RADIUS server from Periodik Labs LLC which is no longer available.
This solution also gives you redundancy since I installed two identical NPS servers with the same certificate and specified both servers in the configuration of the wireless AP’s. The only thing you have to remember when you make changes to the NPS configuration you have to manually export it from the 1st to the 2nd server since there is no replication functionality in NPS.
The user experience when connecting to this wireless network is that they have to enter their Active Directory username and password. I tested it on both Windows 10 and iPhones. Since I use a 3rd party public certificate, there should be no certificate warnings and no client certificate installed on the clients are needed.
I assume Active Directory and DHCP is in place already.
1. Install NPS
Install NPS server from PowerShell using:
Install-WindowsFeature NPAS-Policy-Server -IncludeManagementTools
2. Add Wireless AP as RADIUS clients to NPS
Before the AP’s can communicate to the NPS server, they need to be added as RADIUS Clients.
- From Server Manager -> Tools -> Network Policy Server -> RADIUS Clients and Servers.
- Right-click RADIUS Clients, and then click New RADIUS Client and add the IP and Shared Secret of each AP.
3. Configure NPS
Before starting, make sure you have the 3rd party certificate already installed with the private key and the certificate shows valid in the Certificate MMC. There seem to be some confusion on the requirements for this certificate. Microsoft has some info here and here. My research shows:
- I would suggest to double-check with your certificate supplier before ordering if they know of any issues using their certificate for this setup.
- Do not use SAN nor Wildcard certificates. Reference here and here.
- When it comes to the Subject Name, some articles states that the name must match the FQDN of the server but this creates a problem if you’re using .local or non-public domains. Also, you might want to re-use the certificate on another, second, NPS server for redundancy which should work, see here. In my case, I was running a .local domain so I bought a public certificate named nps.mypublicdomain.com.
- Don’t get cheap on the certificate. My experience since this will definitely cause the most headache if the certificate is not valid or trusted since different OS:es handles this differently. Some will fail, some will work, some will almost work…
I will be using the Wizard…
- From Server Manager -> Tools -> Network Policy Server and make sure NPS (Local) is selected.
- From the Standard Configuration, choose RADIUS server for 802.1X Wireless or Wired Connections in the dropdown list and then Configure 802.1X.
- Select Secure Wireless Connections and feel free to change the Name:
- Make sure the previous added AP’s (RADIUS Clients) are in the list:
- Make sure Type is set to Microsoft: Secured password (EAP-MSCHAP v2). You don’t need to change anything in Configure…
- If you want to allow a certain group permission, add this here. Otherwise, simply add Domain Users.
- Configure Traffic Controls can be left default.
- Select Finish
Now, this actually does not completely create what we want but for the sake of simplicity, the wizard was used to create the initial configuration.
- Go into Policies -> Network Policies and Edit the Policy you just created.
- Go to Constraints tab -> Authentication Methods.
- As you can see, there’s only on EAP Type and that is the wrong one. Click Add… and add Microsoft: Protected EAP (PEAP)
- Choose Edit on this and select the certificate you created above:
- Press OK, and then remove the other EAP Type: Microsoft: Secured password (EAP-MSCHAP v2)
- Also, I would suggest you deselect all Less secure authentication methods since none of them are particular safe. What you should be left with is:
4. Configure the Wireless AP’s
This step differs from different brands but this is how it’s done using Ubiquiti UniFi AP’s. When configuring your network, specify the IP of the 1st and 2nd NPS-server here. If the 1st server is down, it will try the 2nd.