In this blog I’m going to demonstrate how to setup WPA2 Enterprise with User Authentication for a wireless network. The advantage of a Wi-Fi network with WPA2 Enterprise authentication is that you can give users access based on group membership. In addition, you can use this authentication method to prevent unwanted users from logging onto the network using a password. Because personal certificates are used, you can also easily revoke access rights.
How does it work
When using WPA2 Enterprise authentication, users are authenticated using a user or computer certificate. This certificate comes from the Public Key infrastructure (PKI). When connecting to the Wi-Fi network, the authentication is sent to the Radius server, which handles the authentication. On the Radius server, connection policies are configured in which you specify what a connection request must satisfy in order to establish a connection. Upon approval, the user is granted access to the wireless network.
Prerequisites
To Setup WPA2 Enterprise with User Authentication within your network, there are a few prerequisites:
- Domain Controller
- CA server (Private Key Infrastructure) to issue certificates
- NPS server
- WiFi infrastructure which supports WPA2 Enterprise
Demo Setup
In this blog, I am using my demo environment “Vmlabblogdemo.com”. It consists of the following components:
- Domain Controller (DC1-2022)
- Private Key Infrastructure (CA-SUB-02-2022 and CA-OFF-01-2022)
- Network Policy Server (NPS01-2022)
- Unifi Wireless Network with two Access Points
- Dell W10 Laptop for Wifi testing (AD joined)
All servers are Windows Server 2022 and the laptop is running W10 Professional. In addition, I have a test user configured “aad@vmlabblogdemo.com”.
Wireless Group
As discussed earlier, one advantage of WPA2 Enterprise configuration is that you can give users access to the WiFi network based on group membership. Therefore, we start by creating an AD group to which we add the test user.
1. Configure an AD group for example “Wireless Wi-Fi Users”
2. Add your testuser to the group.
Configure User Certificate
Before users can log in with a certificate on the Wi-Fi network, we need to configure a certificate. It is important that the certificate can be automatically enrolled when logging into the computer, otherwise users will have to do it manually. Login to the certificate server to configure the certificate template.
3. Open the Certification Authority console, expand Certificate Templates, right click on the folder and click Manage. This will open the Certificate Templates Console.
4. Select the User certificate template which we will use as template, right click and select “Duplicate Template”.
5. Give the template a recognizable name and press “OK” to duplicate the certificate. Close the “Certificate Templates Console”
6. Select Extensions and remove all Application policies except “Client Authentication”
7. Select the “Security” tab. Add the Wireless Wi-Fi Users group and assign Read, Enroll and Autoenroll rights.
8. Rightclick “Certificate Templates” and select “new -> Certificate Template” to Issue.
9. Select the Template we just duplicated and press “OK” to enable the template to be used
Setup NPS Server
The network policy server (NPS) is the radius server that handles authentication requests. Log in to the server where you want to configure the NPS role and follow the steps described below to proceed.
10. Before you begin configuration, verify that the NPS server has a computer certificate. This is required to configure Protected EAP on the server. If there is no certificate you can request it in the (local computer) certificate plugin in MMC.exe.
11. Start “Server Manager” and select “add Roles and Features”. Select “Network Policy and Access Services”. In the popup select “Add Features”. Select next until you can select “Install” and close the window.
12. When the installation has finished select “Tools” -> “Network Policy Server” to configure the NPS Server.
13. First we need to register the NPS in the Active Directory. Rightclick “NPS (Local)” and select “Register server in Active Directory”. Press “OK” in the popup.
14. Now we are going to create a shared secret template. This is helpfull when you are using multiple Access Points. Expand Templates Management and select Shared Secrets -> New.
15. Enter a Secret to use for your NPS clients and press “OK” to save the template.
16. Select “RADIUS server for 802.1X Wireless and Wired Connections” (1) and select “Configure 802.1X” (2).
17. Select “Secure Wireless Connections” and press “Next”
18. Add the Radius Client(s)by pressing “Add…”
19. Enter a Friendly name, IP or DNS Address and select the Shared Secret template. Press “OK” to add the access point. Repeat this for all access points.
20. When all APs are added press “Next” to continue.
21. Select “Microsoft: Protected EAP (PEAP) and select “Configure”. (If you get an error make sure your server has a computer certificate)
22. Under Eap Types check if “Secured password (EAP-MSCHAP v2)” is configured. Press “OK” to save the changes and “Next”.
23. Add the “wireless users group” (see step 1) and press “Next”.
24. As I do not want to configure traffic controls select “Next” to continue
25. Select “Finish” to finish the configuration.
26. Check the firewall rules. When you enable the NPS role the UDP ports 1645, 1646, 1812 and 1813 should be added to the firewall. If not you need to add them manually
Configure WiFi Network
Configuring the WiFi network depends on which brand of network equipment you use. Look for the specific settings in the manufacturer’s documentation. In this example, I am using Unifi.
27. Login to the Unifi controller and go to settings. Select Profiles and press “Create New Radius Profile”.
28. Enter a name for the profile and select the networks you want to support. Add the following Authentication and Accounting ports with your configured secret. Use the IP Address of your NPS server. The Legacy ports are optional for legacy purposes.
Authentication Servers
Network Policy Server (RADIUS Authentication – UDP-In) | 1812 |
Network Policy Server (Legacy RADIUS Authentication – UDP-In) | 1645 |
Accounting Servers
Network Policy Server (RADIUS Accounting – UDP-In) | 1813 |
Network Policy Server (Legacy RADIUS Accounting – UDP-In) | 1646 |
29. In settings select WiFi and select “Create New Wifi” to create a new WiFi Network.
30. Enter the SSID you want to use in this example “Test Wifi” and toggle the Advanced switch from “Auto” to “Manual”
31. Change Security Protocol from “WPA2” to “WPA2 Enterprise” (1) and select the “Radius Profile” you’ve created (2) in the previous step. Press “Add WiFi Network” (3) to add the WiFi Network.
Configure Group Policies
Now that we have configured the NPS and the Wifi network, we need to ensure that the configuration is available on the endpoint. In this step, we are going to configure the Wifi profile and user certificate enrollment. Run “Group Policy Manament” on the Domain controller and perform the steps below.
32. First we will create a new GPO for the Wifi configuration.
Configure WiFi Profile
33. Add a new wireless network policy to the GPO.
34. Enter a Policy Name and Description. Press “Add” to configure the WiFI Network.
35. Enter a Profile Name and add the SSID for the WiFi profile.
36. Check the Security Settings and change if necessary and press “OK” and “OK” to close the windows.
Configure autoenrollment for the user certificate
37. Expand the following path: Default Domain Policy, User Configuration, Policies, Windows Settings, Security Settings, Public Key Policies. Double-click Certificate Services Client – Auto-Enrollment.
38. In Configuration Model, select Enabled. Select the Renew expired certificates, update pending certificates, and remove revoked certificates check box and select the Update certificates that use certificate templates check box. Press “OK” to save the changes.
Result
All conditions are now configured. Log in to your test device with network cable connected. Run a gpupdate /force to apply the newly configured policy. When you check the personal certificates you will see that the wifi certificate has been added.
If you look at known wireless networks, you will see that the “Test Wifi” network has been added.
Now that we see that the wireless network and user certificate has been added we pull out the network cable. It would then automatically connect to the wireless network. If this does not happen select connect to see if it connects manually.
Troubleshooting
If you cannot connect after configuring, first check the logging of NPS. This can be found in the Event Viewer on the NPS. Go to Custom Views -> Server Roles -> Network Policy and Access Services.
- If the eventlog is empty try restarting the NPS service first. I have experienced several times that you have to do this before the service works properly.
- The event log also remains empty if connections between the AccessPoint and NPS are blocked. Try to ping from the AP to the NPS.
- Check the configured ports and IP addresses in the ra.