We help IT Professionals succeed at work.

How to get RADIUS Server Authentication to work with Active Directory for corporate wireless?

182 Views
Last Modified: 2019-01-26
How to setup a new RADIUS Server for Wireless Authentication?

I have never setup a RAIDUS server before.  In the past, for wireless or Citrix or any form of authentication we just had to configure:

- LDAP Server IP address (Active Directory Server IP address).
- User account with administrator access that could authenticate to the AD server.
- Worked with a vendor (like Citrix) that had accomplished this before.

Now, I am working in a new environment where my project is to migrate to the new Aruba Wireless System from an E.O.L. wireless system.   We have an older HP MSM700 series Wireless system used in production and the Aruba is in my test lab.  

We require a RADIUS Server for employee authentication to our Corporate Wireless network.  I have found a few web sites; but, I want to know how I can verify if the new RADIUS server (Network Policy Server) has all of the requirements?

The production Wireless Controller (older) is setup to use EAP Authentication and it is configured to use a local certificate that was provided to us by DigiCert (THAWTE - CA).  That certificate is labelled to be used to authenticate to the peer.  We attempted to use the currenlty used RADIUS server; but, after the new Aruba Clients were added the RADOUS server  stopped working; hence, it was decided to create  anew RADOUS server for the new Wireless system and that should not affect the users in the production environment.

The new RADIUS server is setup as follows:

1.  Network Policy Server Role (Windows 2012 R2)
2.  Does not have Active Directory installed.  A.D., is a different server.
3.  I have added the Aruba Controllers as RADIUS Clients (by IP address).
4.  The current test server has "EAP MSCHAPv2" setup for the Authentication method.
5.  I have registered the NPS with Active Directory.

Question1:  What will I need to verify if the current production wireless setup has or does not have?  So I can duplicate the authentication on the new Aruba system.

Question2:  Why am I getting the following error from the Network Policy server's "Event Viewer" when attempting to authenticate to the corporate Wireless from the new
RADIUS server.

The client could not be authenticated  because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.


https://www.gypthecat.com/how-to-configure-windows-2012-nps-for-radius-authentication-with-ubiquiti-unifi

https://community.arubanetworks.com/t5/Controllerless-Networks/Wireless-Connection-issues-while-roaming-with-Lenovo-Laptops/td-p/241742
Comment
Watch Question

MaheshArchitect
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Did you configured your Aruba controller with shared secret to point to radius server and same secret should be used on radius server when adding controller as radius client
Also check if you have configured only ms chap v2 in advanced properties of eap, if its certificate based, you will get error
PkafkasNetwork Engineer

Author

Commented:
I did get the RADIUS servers to work with the Aruba Controllers.  After reviewing the above mentioned web sites I noticed 3 things:

1.  The RADIUS server was not registered with Active Directory.


2.  My manager did not have a template for registering the Windows 2012 R2 servers with RADIUS.
     a.  I am not familiar with this part; but, my manager informed me that he will show me this later.


3.  The authentication method was set for msCHAP V2; but, I needed to set it for PEAP instead.
     a.  After PEAP was recognized then the authentication worked like a champ with the RADIUS server.


I eventually added a secondary RADIUS server and applied the same configuration on the RADIUS server itself and on the Aruba Controller.  The key was to test everything in a systematic and cautious way.
MaheshArchitect
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
1st point you already mentioned in question

You do not need any template and no need to register radius server anywhere except active directory which you already did

If you further go in peap, there you will find ms chap v2 (password based authentication)
PkafkasNetwork Engineer

Author

Commented:
does Peap require a certificate?  how can I tell if the current radius servers are using a certificate or not?
Architect
CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
This problem has been solved!
(Unlock this solution with a 7-day Free Trial)
UNLOCK SOLUTION
PkafkasNetwork Engineer

Author

Commented:
I will check .These details and explanations are helping me understand how the RADIUS server works.

We do have a locally created certificate that is in the PEAP properties.

screen01
Question1:  Is this the certificate that allows our users to authenticate into our network for wireless?  

Question2:  How does teh shared secret key fit into the mix?  Is the certificate created with the shared key?  Is that how the shared secret key enters into tje picture?
MaheshArchitect
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Certificate is used to establish encrypted connection between client and server to, without this certificate NPS won't communicate with clients.
When you use secure password as method, authentication still happens with AD username and password


VPN client don't use shared key

Shared key is used by Radius clients to communicate with radius server
Radius server is nothing but your NPS server (IAS server) and Radius clients are nothing but VPN servers pointing to IAS server for authentication OR your access points pointing to VPN / IAS server for authentication

I hope this is clear now