Jorge Diaz
asked on
Windows Server 2012 Radius..
Windows Server 2012 Radius Server-- Hi, I know that i'm being a bit lazy for not doing my reading but it'd be great if you could save me that time..
I need to deploy a Radius Server on Win server 2012, I know that it's now called Network Policy Sever. The question is this: Do I need at point during or after the installation a Windows Certificate server for it to work? The goal is to authenticate WiFi and VPN users.
Thanks for your help.
I need to deploy a Radius Server on Win server 2012, I know that it's now called Network Policy Sever. The question is this: Do I need at point during or after the installation a Windows Certificate server for it to work? The goal is to authenticate WiFi and VPN users.
Thanks for your help.
That depends on the various options you choose to configure. There is no core dependency, but it may be necessary or desirable for certain Auth types.
ASKER
Cliff, I'll have my uses in AD and use Radius to authenticate. I'd like to avoid having a cert server if I don't need to.
Hey, Cliff. You don't need a certificate at all.
As long as you're authenticating users internally (meaning the RADIUS traffic is only inside the firewall and not crossing a public network, aka the internet) you're fine.
Here's what you do:
1. Install NPS.
2. Register it in AD
3. Add your firewall (or whatever) as a RADIUS client
4. Configure your Pre-Shared Keys
5. Configure RADIUS on your firewall (or whatever)
6. Create a group in AD and add users who are allowed to connect to the VPN
7. Create the policy on the NPS where the condition is Windows Group and add specify the group you created and set that condition to "Allow"
8. Test
That's off the top of my head. Let me know if you need more details.
As long as you're authenticating users internally (meaning the RADIUS traffic is only inside the firewall and not crossing a public network, aka the internet) you're fine.
Here's what you do:
1. Install NPS.
2. Register it in AD
3. Add your firewall (or whatever) as a RADIUS client
4. Configure your Pre-Shared Keys
5. Configure RADIUS on your firewall (or whatever)
6. Create a group in AD and add users who are allowed to connect to the VPN
7. Create the policy on the NPS where the condition is Windows Group and add specify the group you created and set that condition to "Allow"
8. Test
That's off the top of my head. Let me know if you need more details.
Hey, Cliff. You don't need a certificate at all.
Reread my post. I specifically said there is no core dependency. But the OP specifically said they want to use it for VPN *AND* WiFi. Most PEAP implementations of WiFi want a certificate of some sort, and to avoid training users in bad habits of "trusting" networks that can't be validated (which is an demonstrated MitM attack vector), it is often advisable to use a certificate. Which goes back to my statement that "it depends" and I stand behind that.
If you show me a corporate wifi network that isn't protected by a certificate, I'll show you how I can park my car somewhere with a cantenna, broadcast the same SSID, and do some good old fashioned corporate espionage. Even small businesses are targets for this kind of war-driving because it is low hanging fruit.
So I stand by my initial answer. It is not a core dependency. But many configurations would still require some level of certificate services.
You wouldn't need certificate services for VPN, but you likely do for Wi-Fi (and wired 802.1x) authentication. I would setup Certificate Services on a member server. It isn't that hard.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
For VPN also you need certificate on server unless you are using PPPoe connection, this si not requirement of author I believe
He must be needing something like SSTP OR IPSEC VPN, for latter you need cert on clients as well
He must be needing something like SSTP OR IPSEC VPN, for latter you need cert on clients as well
ASKER
Thank you both for the through explanation. Considering the my configuration I'll do Radius and a Cert server.