Link to home
Start Free TrialLog in
Avatar of Jorge Diaz
Jorge DiazFlag for United States of America

asked on

Windows Server 2012 Radius..

Windows Server 2012 Radius Server-- Hi, I know that i'm being a bit lazy for not doing my reading but it'd be great if you could save me that time..

I need to deploy a Radius Server on Win server 2012, I know that it's now called Network Policy Sever. The question is this: Do I need at point during or after the installation a Windows Certificate server for it to work? The goal is to authenticate WiFi and VPN users.

Thanks for your help.
Avatar of Cliff Galiher
Cliff Galiher
Flag of United States of America image

That depends on the various options you choose to configure. There is no core dependency, but it may be necessary or desirable for certain Auth types.
Avatar of Jorge Diaz


Cliff, I'll have my uses in AD and use Radius to authenticate. I'd like to avoid having a cert server if I don't need to.
Hey, Cliff.  You don't need a certificate at all.

As long as you're authenticating users internally (meaning the RADIUS traffic is only inside the firewall and not crossing a public network, aka the internet) you're fine.
Here's what you do:

1. Install NPS.
2. Register it in AD
3. Add your firewall (or whatever) as a RADIUS client
4. Configure your Pre-Shared Keys
5. Configure RADIUS on your firewall (or whatever)
6. Create a group in AD and add users who are allowed to connect to the VPN
7. Create the policy on the NPS where the condition is Windows Group and add specify the group you created and set that condition to "Allow"
8. Test

That's off the top of my head.  Let me know if you need more details.
Hey, Cliff.  You don't need a certificate at all.

Reread my post.  I specifically said there is no core dependency.  But the OP specifically said they want to use it for VPN *AND* WiFi.  Most PEAP implementations of WiFi want a certificate of some sort, and to avoid training users in bad habits of "trusting" networks that can't be validated (which is an demonstrated MitM attack vector), it is often advisable to use a certificate.  Which goes back to my statement that "it depends" and I stand behind that.

If you show me a corporate wifi network that isn't protected by a certificate, I'll show you how I can park my car somewhere with a cantenna, broadcast the same SSID, and do some good old fashioned corporate espionage.  Even small businesses are targets for this kind of war-driving because it is low hanging fruit.

So I stand by my initial answer.  It is not a core dependency.  But many configurations would still require some level of certificate services.
You wouldn't need certificate services for VPN, but you likely do for Wi-Fi (and wired 802.1x) authentication. I would setup Certificate Services on a member server. It isn't that hard.
Avatar of Mahesh
Flag of India image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
For VPN also you need certificate on server unless you are using PPPoe connection, this si not requirement of author I believe

He must be needing something like SSTP OR IPSEC VPN, for latter you need cert on clients as well
Thank you both for the through explanation. Considering the my configuration I'll do Radius and a Cert server.