How to get RADIUS Server Authentication to work with Active Directory for corporate wireless?

Pkafkas
Pkafkas used Ask the Experts™
on
How to setup a new RADIUS Server for Wireless Authentication?

I have never setup a RAIDUS server before.  In the past, for wireless or Citrix or any form of authentication we just had to configure:

- LDAP Server IP address (Active Directory Server IP address).
- User account with administrator access that could authenticate to the AD server.
- Worked with a vendor (like Citrix) that had accomplished this before.

Now, I am working in a new environment where my project is to migrate to the new Aruba Wireless System from an E.O.L. wireless system.   We have an older HP MSM700 series Wireless system used in production and the Aruba is in my test lab.  

We require a RADIUS Server for employee authentication to our Corporate Wireless network.  I have found a few web sites; but, I want to know how I can verify if the new RADIUS server (Network Policy Server) has all of the requirements?

The production Wireless Controller (older) is setup to use EAP Authentication and it is configured to use a local certificate that was provided to us by DigiCert (THAWTE - CA).  That certificate is labelled to be used to authenticate to the peer.  We attempted to use the currenlty used RADIUS server; but, after the new Aruba Clients were added the RADOUS server  stopped working; hence, it was decided to create  anew RADOUS server for the new Wireless system and that should not affect the users in the production environment.

The new RADIUS server is setup as follows:

1.  Network Policy Server Role (Windows 2012 R2)
2.  Does not have Active Directory installed.  A.D., is a different server.
3.  I have added the Aruba Controllers as RADIUS Clients (by IP address).
4.  The current test server has "EAP MSCHAPv2" setup for the Authentication method.
5.  I have registered the NPS with Active Directory.

Question1:  What will I need to verify if the current production wireless setup has or does not have?  So I can duplicate the authentication on the new Aruba system.

Question2:  Why am I getting the following error from the Network Policy server's "Event Viewer" when attempting to authenticate to the corporate Wireless from the new
RADIUS server.

The client could not be authenticated  because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.


https://www.gypthecat.com/how-to-configure-windows-2012-nps-for-radius-authentication-with-ubiquiti-unifi

https://community.arubanetworks.com/t5/Controllerless-Networks/Wireless-Connection-issues-while-roaming-with-Lenovo-Laptops/td-p/241742
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
MaheshArchitect
Distinguished Expert 2018

Commented:
Did you configured your Aruba controller with shared secret to point to radius server and same secret should be used on radius server when adding controller as radius client
Also check if you have configured only ms chap v2 in advanced properties of eap, if its certificate based, you will get error
PkafkasNetwork Engineer

Author

Commented:
I did get the RADIUS servers to work with the Aruba Controllers.  After reviewing the above mentioned web sites I noticed 3 things:

1.  The RADIUS server was not registered with Active Directory.


2.  My manager did not have a template for registering the Windows 2012 R2 servers with RADIUS.
     a.  I am not familiar with this part; but, my manager informed me that he will show me this later.


3.  The authentication method was set for msCHAP V2; but, I needed to set it for PEAP instead.
     a.  After PEAP was recognized then the authentication worked like a champ with the RADIUS server.


I eventually added a secondary RADIUS server and applied the same configuration on the RADIUS server itself and on the Aruba Controller.  The key was to test everything in a systematic and cautious way.
MaheshArchitect
Distinguished Expert 2018

Commented:
1st point you already mentioned in question

You do not need any template and no need to register radius server anywhere except active directory which you already did

If you further go in peap, there you will find ms chap v2 (password based authentication)
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

PkafkasNetwork Engineer

Author

Commented:
does Peap require a certificate?  how can I tell if the current radius servers are using a certificate or not?
Architect
Distinguished Expert 2018
Commented:
if you go to peap properties by clicking edit, you should find certificate (may be self signed since you may not have AD integrated CA)
This certificate is used for SSL purposes so that connection between client and server remains encrypted, without certificate NPS won't communicate with clients, its mandatory requirement, you already have working NPS, so you have certificate
However this is different from Certificate based auth, if you further checked PEAP properties page, you will also see EAP types as secure password, as a fact you are able to authenticate with AD username and password, if you remove this secure password with certificate on that page, your client also need certificate and then authentication will happen with certificate based and in that case no username / password is required
check below post
https://www.entrustdatacard.com/knowledgebase/how-is-the-server-certificate-installed-on-microsoft-network-policy-server-nps-on-windows-2008-server
PkafkasNetwork Engineer

Author

Commented:
I will check .These details and explanations are helping me understand how the RADIUS server works.

We do have a locally created certificate that is in the PEAP properties.

screen01
Question1:  Is this the certificate that allows our users to authenticate into our network for wireless?  

Question2:  How does teh shared secret key fit into the mix?  Is the certificate created with the shared key?  Is that how the shared secret key enters into tje picture?
MaheshArchitect
Distinguished Expert 2018

Commented:
Certificate is used to establish encrypted connection between client and server to, without this certificate NPS won't communicate with clients.
When you use secure password as method, authentication still happens with AD username and password


VPN client don't use shared key

Shared key is used by Radius clients to communicate with radius server
Radius server is nothing but your NPS server (IAS server) and Radius clients are nothing but VPN servers pointing to IAS server for authentication OR your access points pointing to VPN / IAS server for authentication

I hope this is clear now

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial