How to get RADIUS Server Authentication to work with Active Directory for corporate wireless?

How to setup a new RADIUS Server for Wireless Authentication?

I have never setup a RAIDUS server before.  In the past, for wireless or Citrix or any form of authentication we just had to configure:

- LDAP Server IP address (Active Directory Server IP address).
- User account with administrator access that could authenticate to the AD server.
- Worked with a vendor (like Citrix) that had accomplished this before.

Now, I am working in a new environment where my project is to migrate to the new Aruba Wireless System from an E.O.L. wireless system.   We have an older HP MSM700 series Wireless system used in production and the Aruba is in my test lab.  

We require a RADIUS Server for employee authentication to our Corporate Wireless network.  I have found a few web sites; but, I want to know how I can verify if the new RADIUS server (Network Policy Server) has all of the requirements?

The production Wireless Controller (older) is setup to use EAP Authentication and it is configured to use a local certificate that was provided to us by DigiCert (THAWTE - CA).  That certificate is labelled to be used to authenticate to the peer.  We attempted to use the currenlty used RADIUS server; but, after the new Aruba Clients were added the RADOUS server  stopped working; hence, it was decided to create  anew RADOUS server for the new Wireless system and that should not affect the users in the production environment.

The new RADIUS server is setup as follows:

1.  Network Policy Server Role (Windows 2012 R2)
2.  Does not have Active Directory installed.  A.D., is a different server.
3.  I have added the Aruba Controllers as RADIUS Clients (by IP address).
4.  The current test server has "EAP MSCHAPv2" setup for the Authentication method.
5.  I have registered the NPS with Active Directory.

Question1:  What will I need to verify if the current production wireless setup has or does not have?  So I can duplicate the authentication on the new Aruba system.

Question2:  Why am I getting the following error from the Network Policy server's "Event Viewer" when attempting to authenticate to the corporate Wireless from the new
RADIUS server.

The client could not be authenticated  because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.


https://www.gypthecat.com/how-to-configure-windows-2012-nps-for-radius-authentication-with-ubiquiti-unifi

https://community.arubanetworks.com/t5/Controllerless-Networks/Wireless-Connection-issues-while-roaming-with-Lenovo-Laptops/td-p/241742
LVL 1
PkafkasNetwork EngineerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

MaheshArchitectCommented:
Did you configured your Aruba controller with shared secret to point to radius server and same secret should be used on radius server when adding controller as radius client
Also check if you have configured only ms chap v2 in advanced properties of eap, if its certificate based, you will get error
PkafkasNetwork EngineerAuthor Commented:
I did get the RADIUS servers to work with the Aruba Controllers.  After reviewing the above mentioned web sites I noticed 3 things:

1.  The RADIUS server was not registered with Active Directory.


2.  My manager did not have a template for registering the Windows 2012 R2 servers with RADIUS.
     a.  I am not familiar with this part; but, my manager informed me that he will show me this later.


3.  The authentication method was set for msCHAP V2; but, I needed to set it for PEAP instead.
     a.  After PEAP was recognized then the authentication worked like a champ with the RADIUS server.


I eventually added a secondary RADIUS server and applied the same configuration on the RADIUS server itself and on the Aruba Controller.  The key was to test everything in a systematic and cautious way.
MaheshArchitectCommented:
1st point you already mentioned in question

You do not need any template and no need to register radius server anywhere except active directory which you already did

If you further go in peap, there you will find ms chap v2 (password based authentication)
5 Ways Acronis Skyrockets Your Data Protection

Risks to data security are risks to business continuity. Businesses need to know what these risks look like – and where they can turn for help.
Check our newest E-Book and learn how you can differentiate your data protection business with advanced cloud solutions Acronis delivers

PkafkasNetwork EngineerAuthor Commented:
does Peap require a certificate?  how can I tell if the current radius servers are using a certificate or not?
MaheshArchitectCommented:
if you go to peap properties by clicking edit, you should find certificate (may be self signed since you may not have AD integrated CA)
This certificate is used for SSL purposes so that connection between client and server remains encrypted, without certificate NPS won't communicate with clients, its mandatory requirement, you already have working NPS, so you have certificate
However this is different from Certificate based auth, if you further checked PEAP properties page, you will also see EAP types as secure password, as a fact you are able to authenticate with AD username and password, if you remove this secure password with certificate on that page, your client also need certificate and then authentication will happen with certificate based and in that case no username / password is required
check below post
https://www.entrustdatacard.com/knowledgebase/how-is-the-server-certificate-installed-on-microsoft-network-policy-server-nps-on-windows-2008-server

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
PkafkasNetwork EngineerAuthor Commented:
I will check .These details and explanations are helping me understand how the RADIUS server works.

We do have a locally created certificate that is in the PEAP properties.

screen01
Question1:  Is this the certificate that allows our users to authenticate into our network for wireless?  

Question2:  How does teh shared secret key fit into the mix?  Is the certificate created with the shared key?  Is that how the shared secret key enters into tje picture?
MaheshArchitectCommented:
Certificate is used to establish encrypted connection between client and server to, without this certificate NPS won't communicate with clients.
When you use secure password as method, authentication still happens with AD username and password


VPN client don't use shared key

Shared key is used by Radius clients to communicate with radius server
Radius server is nothing but your NPS server (IAS server) and Radius clients are nothing but VPN servers pointing to IAS server for authentication OR your access points pointing to VPN / IAS server for authentication

I hope this is clear now
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Wireless Networking

From novice to tech pro — start learning today.