Avatar of Pkafkas
Pkafkas
 asked on

How to get RADIUS Server Authentication to work with Active Directory for corporate wireless?

How to setup a new RADIUS Server for Wireless Authentication?

I have never setup a RAIDUS server before.  In the past, for wireless or Citrix or any form of authentication we just had to configure:

- LDAP Server IP address (Active Directory Server IP address).
- User account with administrator access that could authenticate to the AD server.
- Worked with a vendor (like Citrix) that had accomplished this before.

Now, I am working in a new environment where my project is to migrate to the new Aruba Wireless System from an E.O.L. wireless system.   We have an older HP MSM700 series Wireless system used in production and the Aruba is in my test lab.  

We require a RADIUS Server for employee authentication to our Corporate Wireless network.  I have found a few web sites; but, I want to know how I can verify if the new RADIUS server (Network Policy Server) has all of the requirements?

The production Wireless Controller (older) is setup to use EAP Authentication and it is configured to use a local certificate that was provided to us by DigiCert (THAWTE - CA).  That certificate is labelled to be used to authenticate to the peer.  We attempted to use the currenlty used RADIUS server; but, after the new Aruba Clients were added the RADOUS server  stopped working; hence, it was decided to create  anew RADOUS server for the new Wireless system and that should not affect the users in the production environment.

The new RADIUS server is setup as follows:

1.  Network Policy Server Role (Windows 2012 R2)
2.  Does not have Active Directory installed.  A.D., is a different server.
3.  I have added the Aruba Controllers as RADIUS Clients (by IP address).
4.  The current test server has "EAP MSCHAPv2" setup for the Authentication method.
5.  I have registered the NPS with Active Directory.

Question1:  What will I need to verify if the current production wireless setup has or does not have?  So I can duplicate the authentication on the new Aruba system.

Question2:  Why am I getting the following error from the Network Policy server's "Event Viewer" when attempting to authenticate to the corporate Wireless from the new
RADIUS server.

The client could not be authenticated  because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.


https://www.gypthecat.com/how-to-configure-windows-2012-nps-for-radius-authentication-with-ubiquiti-unifi

https://community.arubanetworks.com/t5/Controllerless-Networks/Wireless-Connection-issues-while-roaming-with-Lenovo-Laptops/td-p/241742
Wireless NetworkingActive DirectoryNetwork Security

Avatar of undefined
Last Comment
Mahesh

8/22/2022 - Mon
Mahesh

Did you configured your Aruba controller with shared secret to point to radius server and same secret should be used on radius server when adding controller as radius client
Also check if you have configured only ms chap v2 in advanced properties of eap, if its certificate based, you will get error
Pkafkas

ASKER
I did get the RADIUS servers to work with the Aruba Controllers.  After reviewing the above mentioned web sites I noticed 3 things:

1.  The RADIUS server was not registered with Active Directory.


2.  My manager did not have a template for registering the Windows 2012 R2 servers with RADIUS.
     a.  I am not familiar with this part; but, my manager informed me that he will show me this later.


3.  The authentication method was set for msCHAP V2; but, I needed to set it for PEAP instead.
     a.  After PEAP was recognized then the authentication worked like a champ with the RADIUS server.


I eventually added a secondary RADIUS server and applied the same configuration on the RADIUS server itself and on the Aruba Controller.  The key was to test everything in a systematic and cautious way.
Mahesh

1st point you already mentioned in question

You do not need any template and no need to register radius server anywhere except active directory which you already did

If you further go in peap, there you will find ms chap v2 (password based authentication)
Your help has saved me hundreds of hours of internet surfing.
fblack61
Pkafkas

ASKER
does Peap require a certificate?  how can I tell if the current radius servers are using a certificate or not?
ASKER CERTIFIED SOLUTION
Mahesh

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
Pkafkas

ASKER
I will check .These details and explanations are helping me understand how the RADIUS server works.

We do have a locally created certificate that is in the PEAP properties.

screen01
Question1:  Is this the certificate that allows our users to authenticate into our network for wireless?  

Question2:  How does teh shared secret key fit into the mix?  Is the certificate created with the shared key?  Is that how the shared secret key enters into tje picture?
Mahesh

Certificate is used to establish encrypted connection between client and server to, without this certificate NPS won't communicate with clients.
When you use secure password as method, authentication still happens with AD username and password


VPN client don't use shared key

Shared key is used by Radius clients to communicate with radius server
Radius server is nothing but your NPS server (IAS server) and Radius clients are nothing but VPN servers pointing to IAS server for authentication OR your access points pointing to VPN / IAS server for authentication

I hope this is clear now
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.