We help IT Professionals succeed at work.

Windows Server 2012 Radius..

149 Views
Last Modified: 2018-08-30
Windows Server 2012 Radius Server-- Hi, I know that i'm being a bit lazy for not doing my reading but it'd be great if you could save me that time..

I need to deploy a Radius Server on Win server 2012, I know that it's now called Network Policy Sever. The question is this: Do I need at point during or after the installation a Windows Certificate server for it to work? The goal is to authenticate WiFi and VPN users.

Thanks for your help.
Comment
Watch Question

CERTIFIED EXPERT
Distinguished Expert 2018

Commented:
That depends on the various options you choose to configure. There is no core dependency, but it may be necessary or desirable for certain Auth types.
CERTIFIED EXPERT

Author

Commented:
Cliff, I'll have my uses in AD and use Radius to authenticate. I'd like to avoid having a cert server if I don't need to.
Joseph HornseyDirector of IT & Infrastructure
CERTIFIED EXPERT

Commented:
Hey, Cliff.  You don't need a certificate at all.

As long as you're authenticating users internally (meaning the RADIUS traffic is only inside the firewall and not crossing a public network, aka the internet) you're fine.
Here's what you do:

1. Install NPS.
2. Register it in AD
3. Add your firewall (or whatever) as a RADIUS client
4. Configure your Pre-Shared Keys
5. Configure RADIUS on your firewall (or whatever)
6. Create a group in AD and add users who are allowed to connect to the VPN
7. Create the policy on the NPS where the condition is Windows Group and add specify the group you created and set that condition to "Allow"
8. Test

That's off the top of my head.  Let me know if you need more details.
CERTIFIED EXPERT
Distinguished Expert 2018

Commented:
Hey, Cliff.  You don't need a certificate at all.

Reread my post.  I specifically said there is no core dependency.  But the OP specifically said they want to use it for VPN *AND* WiFi.  Most PEAP implementations of WiFi want a certificate of some sort, and to avoid training users in bad habits of "trusting" networks that can't be validated (which is an demonstrated MitM attack vector), it is often advisable to use a certificate.  Which goes back to my statement that "it depends" and I stand behind that.

If you show me a corporate wifi network that isn't protected by a certificate, I'll show you how I can park my car somewhere with a cantenna, broadcast the same SSID, and do some good old fashioned corporate espionage.  Even small businesses are targets for this kind of war-driving because it is low hanging fruit.


So I stand by my initial answer.  It is not a core dependency.  But many configurations would still require some level of certificate services.
kevinhsiehNetwork Engineer
CERTIFIED EXPERT

Commented:
You wouldn't need certificate services for VPN, but you likely do for Wi-Fi (and wired 802.1x) authentication. I would setup Certificate Services on a member server. It isn't that hard.
MaheshArchitect
CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
This problem has been solved!
(Unlock this solution with a 7-day Free Trial)
UNLOCK SOLUTION
Director of IT & Infrastructure
CERTIFIED EXPERT
Commented:
This problem has been solved!
(Unlock this solution with a 7-day Free Trial)
UNLOCK SOLUTION
MaheshArchitect
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
For VPN also you need certificate on server unless you are using PPPoe connection, this si not requirement of author I believe

He must be needing something like SSTP OR IPSEC VPN, for latter you need cert on clients as well
CERTIFIED EXPERT

Author

Commented:
Thank you both for the through explanation. Considering the my configuration I'll do Radius and a Cert server.