Windows Server 2012 Radius..

jorge diaz
jorge diaz used Ask the Experts™
Windows Server 2012 Radius Server-- Hi, I know that i'm being a bit lazy for not doing my reading but it'd be great if you could save me that time..

I need to deploy a Radius Server on Win server 2012, I know that it's now called Network Policy Sever. The question is this: Do I need at point during or after the installation a Windows Certificate server for it to work? The goal is to authenticate WiFi and VPN users.

Thanks for your help.
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Distinguished Expert 2018

That depends on the various options you choose to configure. There is no core dependency, but it may be necessary or desirable for certain Auth types.
Cliff, I'll have my uses in AD and use Radius to authenticate. I'd like to avoid having a cert server if I don't need to.
Joseph HornseyPresident and Janitor

Hey, Cliff.  You don't need a certificate at all.

As long as you're authenticating users internally (meaning the RADIUS traffic is only inside the firewall and not crossing a public network, aka the internet) you're fine.
Here's what you do:

1. Install NPS.
2. Register it in AD
3. Add your firewall (or whatever) as a RADIUS client
4. Configure your Pre-Shared Keys
5. Configure RADIUS on your firewall (or whatever)
6. Create a group in AD and add users who are allowed to connect to the VPN
7. Create the policy on the NPS where the condition is Windows Group and add specify the group you created and set that condition to "Allow"
8. Test

That's off the top of my head.  Let me know if you need more details.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Distinguished Expert 2018

Hey, Cliff.  You don't need a certificate at all.

Reread my post.  I specifically said there is no core dependency.  But the OP specifically said they want to use it for VPN *AND* WiFi.  Most PEAP implementations of WiFi want a certificate of some sort, and to avoid training users in bad habits of "trusting" networks that can't be validated (which is an demonstrated MitM attack vector), it is often advisable to use a certificate.  Which goes back to my statement that "it depends" and I stand behind that.

If you show me a corporate wifi network that isn't protected by a certificate, I'll show you how I can park my car somewhere with a cantenna, broadcast the same SSID, and do some good old fashioned corporate espionage.  Even small businesses are targets for this kind of war-driving because it is low hanging fruit.

So I stand by my initial answer.  It is not a core dependency.  But many configurations would still require some level of certificate services.
kevinhsiehNetwork Engineer

You wouldn't need certificate services for VPN, but you likely do for Wi-Fi (and wired 802.1x) authentication. I would setup Certificate Services on a member server. It isn't that hard.
Distinguished Expert 2018
No matter what option you set (either it could be MS CHAP V2 password based auth OR it could be EAP / PEAP), client has to mutually authenticate VPN server (NPS server here), in order to mutually authenticate, there is server certificate get installed on NPS server. Client must trust this certificate, meaning its root certificate must be available in client local store
When you install NPS server, it automatically create self signed "server authentication SSL" cert and use that. If client don't trust that you will get errors while connecting
If certificate is from domain CA, client will trust that cert
U can find cert on radius server (NPS) under connection request polices node \ policies \ vpn or wireless policy properties \ settings and edit the authentication method.
U can remove cert dependency by removing EAP types from there and select chap or chap v2 (simple password auth) but its not recommended
President and Janitor
Sorry, Cliff... I wasn't trying to call you out... I was actually trying to respond to the Jorge, not you.  Just got the names confused.

Jorge, I didn't read your question fully.  For VPN, you definitely don't need a certificate server, as long as the RADIUS traffic is on the internal network (and that network is wired).

For WiFi, you may or may not need a certificate server, depending on how you're connected.  If you have a single WAP and it is has a cable going into a switch, authentication traffic is the same as with the VPN above.

If, however, you have a more complicated setup where multiple wireless devices are bridged together and authentication traffic is sent wirelessly, then Cliff is absolutely correct and while certificates aren't required, it would be very foolish not to implement them.
Distinguished Expert 2018

For VPN also you need certificate on server unless you are using PPPoe connection, this si not requirement of author I believe

He must be needing something like SSTP OR IPSEC VPN, for latter you need cert on clients as well
Thank you both for the through explanation. Considering the my configuration I'll do Radius and a Cert server.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial