Windows Server 2012 Radius..

Windows Server 2012 Radius Server-- Hi, I know that i'm being a bit lazy for not doing my reading but it'd be great if you could save me that time..

I need to deploy a Radius Server on Win server 2012, I know that it's now called Network Policy Sever. The question is this: Do I need at point during or after the installation a Windows Certificate server for it to work? The goal is to authenticate WiFi and VPN users.

Thanks for your help.
LVL 7
jorge diazSEAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Cliff GaliherCommented:
That depends on the various options you choose to configure. There is no core dependency, but it may be necessary or desirable for certain Auth types.
0
jorge diazSEAuthor Commented:
Cliff, I'll have my uses in AD and use Radius to authenticate. I'd like to avoid having a cert server if I don't need to.
0
Joseph HornseyPresident and JanitorCommented:
Hey, Cliff.  You don't need a certificate at all.

As long as you're authenticating users internally (meaning the RADIUS traffic is only inside the firewall and not crossing a public network, aka the internet) you're fine.
Here's what you do:

1. Install NPS.
2. Register it in AD
3. Add your firewall (or whatever) as a RADIUS client
4. Configure your Pre-Shared Keys
5. Configure RADIUS on your firewall (or whatever)
6. Create a group in AD and add users who are allowed to connect to the VPN
7. Create the policy on the NPS where the condition is Windows Group and add specify the group you created and set that condition to "Allow"
8. Test

That's off the top of my head.  Let me know if you need more details.
0
Newly released Acronis True Image 2019

In announcing the release of the 15th Anniversary Edition of Acronis True Image 2019, the company revealed that its artificial intelligence-based anti-ransomware technology – stopped more than 200,000 ransomware attacks on 150,000 customers last year.

Cliff GaliherCommented:
Hey, Cliff.  You don't need a certificate at all.

Reread my post.  I specifically said there is no core dependency.  But the OP specifically said they want to use it for VPN *AND* WiFi.  Most PEAP implementations of WiFi want a certificate of some sort, and to avoid training users in bad habits of "trusting" networks that can't be validated (which is an demonstrated MitM attack vector), it is often advisable to use a certificate.  Which goes back to my statement that "it depends" and I stand behind that.

If you show me a corporate wifi network that isn't protected by a certificate, I'll show you how I can park my car somewhere with a cantenna, broadcast the same SSID, and do some good old fashioned corporate espionage.  Even small businesses are targets for this kind of war-driving because it is low hanging fruit.


So I stand by my initial answer.  It is not a core dependency.  But many configurations would still require some level of certificate services.
1
kevinhsiehCommented:
You wouldn't need certificate services for VPN, but you likely do for Wi-Fi (and wired 802.1x) authentication. I would setup Certificate Services on a member server. It isn't that hard.
0
MaheshArchitectCommented:
No matter what option you set (either it could be MS CHAP V2 password based auth OR it could be EAP / PEAP), client has to mutually authenticate VPN server (NPS server here), in order to mutually authenticate, there is server certificate get installed on NPS server. Client must trust this certificate, meaning its root certificate must be available in client local store
When you install NPS server, it automatically create self signed "server authentication SSL" cert and use that. If client don't trust that you will get errors while connecting
If certificate is from domain CA, client will trust that cert
U can find cert on radius server (NPS) under connection request polices node \ policies \ vpn or wireless policy properties \ settings and edit the authentication method.
U can remove cert dependency by removing EAP types from there and select chap or chap v2 (simple password auth) but its not recommended
0
Joseph HornseyPresident and JanitorCommented:
Sorry, Cliff... I wasn't trying to call you out... I was actually trying to respond to the Jorge, not you.  Just got the names confused.

Jorge, I didn't read your question fully.  For VPN, you definitely don't need a certificate server, as long as the RADIUS traffic is on the internal network (and that network is wired).

For WiFi, you may or may not need a certificate server, depending on how you're connected.  If you have a single WAP and it is has a cable going into a switch, authentication traffic is the same as with the VPN above.

If, however, you have a more complicated setup where multiple wireless devices are bridged together and authentication traffic is sent wirelessly, then Cliff is absolutely correct and while certificates aren't required, it would be very foolish not to implement them.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
MaheshArchitectCommented:
For VPN also you need certificate on server unless you are using PPPoe connection, this si not requirement of author I believe

He must be needing something like SSTP OR IPSEC VPN, for latter you need cert on clients as well
0
jorge diazSEAuthor Commented:
Thank you both for the through explanation. Considering the my configuration I'll do Radius and a Cert server.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows OS

From novice to tech pro — start learning today.