{"id":1113,"date":"2016-01-08T20:55:00","date_gmt":"2016-01-08T20:55:00","guid":{"rendered":"https:\/\/jay-miah.co.uk\/?p=1113"},"modified":"2024-11-17T21:04:06","modified_gmt":"2024-11-17T21:04:06","slug":"deploying-eap-tls-wireless-solution-in-an-enterprise-environment","status":"publish","type":"post","link":"https:\/\/jay-miah.co.uk\/index.php\/deploying-eap-tls-wireless-solution-in-an-enterprise-environment\/","title":{"rendered":"Deploying EAP-TLS Wireless Solution in an Enterprise Environment"},"content":{"rendered":"

EAP TLS is one of the most secure methods of deploying wireless solutions in an organisation. It uses certificate based authentication both on the server side and client side to authenticate each other, the internal CA is responsible for issuing certificates to the users and computers.\u00a0There are a number of ways to deploy EAP-TLS, using a combination of computer certificates, user certificates, different types of AAA servers, and different WLC vendors, however the same methods and process will take place in the background. In a\u00a0typical deployment, you would use a Certification Authority server to issue\/manage certificates, one or several AAA server as the RADIUS server, one or multiple WLC\u2019s to manage the WLAN\/s and forward the authentication requests, and finally \u00a0clients to connect to the infrastructure network.<\/p>\n

Wireless Terminology\u00a0<\/strong><\/p>\n

Supplicant =\u00a0<\/strong>Client\/User<\/p>\n

Authenticator =\u00a0<\/strong>AP<\/p>\n

Authentication Server =\u00a0<\/strong>AAA RADIUS Server<\/p>\n

What happens in the background?<\/strong><\/p>\n

During association the client initiates a connection to the authenticator, the authenticator seeks the requirements of the connection and forwards the request to the WLC who then forwards it to the authentication server. The authentication server sends its\u00a0certificate to the supplicant, including a request for the supplicant\u00a0to provide its certificate back. At this time the authenticator places a block for that supplicant\u00a0until successful authentication can take place. During authentication the client validates the server\u00a0certificate and responds with an EAP response message containing its certificate. The server validates the clients certificate and refers to the network policies to authenticate the supplicant. Once authentication is successful the server responds with specification for the session, at this time the block is removed by the authenticator and the supplicant\u00a0is allowed on to the network.<\/p>\n

What will be doing in this Step-byStep guide?\u00a0<\/strong><\/p>\n

\"Topology\"<\/p>\n

In this step-by-step guide we will deploy EAP-TLS for\u00a0our wireless network infrastructure, in micro steps\u00a0we will configure the following:<\/p>\n

Windows Server 2012 R2:<\/strong>\u00a0This will act as the Domain Controller as well as the Certification Authority to issue and manage our certificates. We will be using user certificates which is the preferred\u00a0option in this type of deployment. User certificates have an additional layer of security over computer certificates, this is because only the user that has a valid certificate will be able to authenticate whereas a computer certificate authenticates the device regardless of the user that is logged on to that machine. We will create AD users and security groups to control access via our NPS Server. We will also deploy Group Policy settings from our DC to push out auto enrollment for our user certificates, and our SSID profiles.<\/p>\n

Windows Server 2012 R2:<\/strong>\u00a0The second box will be setup as the NPS RADIUS server, this server will be used to create our network policies for access control, we will identify the AD security groups that will be allowed to authenticate as well as the type of connections allowed. We will also define the method of authentication we will be using and allocate a valid server certificate for the process. Although the NPS role can be installed on the DC, I have specifically decided to keep it separate. Installing the NPS role on a DC would require a \u201cDomain Controller\u201d certificate\u00a0instead of the \u201cComputer Certificate\u201d that we will be using. This I found can have a mixture of effects where the clients are unable to authenticate due to a \u201cuser credentials mismatch\u201d, this I suspect is a certificate issue due to new certificates being generated automatically by the DC for the purpose of \u201cKerberos Authentication\u201d, \u201cDomain Controller Authentication\u201d and \u201cDirectory Email Replication\u201d.<\/p>\n

Cisco vWLC:\u00a0<\/strong>This will be a WLAN controller\u00a0that will forward all RADIUS authentication requests to the NPS server, we will also set-up the WLAN profiles and manage the SSIDs<\/p>\n

Windows 7 client:\u00a0<\/strong>This client\u00a0<\/strong>machine will be domain bound, primarily we will use this device to connect to the wireless infrastructure and validate our configuration.<\/p>\n

Please note: In order to carry out this lab you must have a functioning domain with ADDS, DNS, DHCP and networking, you will also need the additional roles installed mentioned above on the relevant servers.<\/p>\n

 <\/p>\n

Anchor\u00a0links<\/p>\n

Request a Computer Certificate for the NPS Server<\/strong><\/a><\/p>\n

Configure Auto\u00a0Enrollment to issue\u00a0User\u00a0Certificates<\/strong><\/a><\/p>\n

Create AD Security Groups and assign users<\/strong><\/a><\/p>\n

Configure RADIUS and Create the Network Access Policies<\/strong><\/a><\/p>\n

Configure the WLC for RADIUS and setup the WLAN<\/strong><\/a><\/p>\n

Configure the Client Network settings via GPO<\/strong><\/a><\/p>\n

Validating the deployment & Testing<\/strong><\/a><\/p>\n

 <\/p>\n

Lets Get Started!<\/p>\n

Request a Computer Certificate for the NPS Server<\/strong><\/p>\n

In order to set-up our network policy server for EAP authentication we need to request a computer\u00a0certificate so that when clients attempt to authenticate the NPS server is able to present its certificate to verify its identity is legitimate. You must have a CA Server Installed and configured in order to request a certificate, please refer to\u00a0\u201cInstall Certification Authority on Server 2012 R2\u201d<\/a>.<\/p>\n

1.<\/strong>\u00a0 Logon to the\u00a0NPS Server\u00a0and Click\u00a0\u201cStart\u201d\u00a0type\u00a0\u201cMMC\u201d<\/p>\n

<\/p>\n

2.<\/strong>\u00a0at the Window click\u00a0\u201cFile\u201d\u2013\u00a0\u201cAdd\/Remove Snap-in\u201d<\/p>\n

\"00.3\"<\/p>\n

3.<\/strong>\u00a0from the left hand pane select\u00a0\u201cCertificates\u201d\u00a0and hit the\u00a0\u201cAdd\u201d\u00a0button<\/p>\n

\"00.4\"<\/p>\n

4.\u00a0<\/strong>Select\u00a0\u201cComputer account\u201d\u00a0and click\u00a0\u201cNext\u201d<\/p>\n

\"00.5\"<\/p>\n

5.\u00a0<\/strong>Select\u00a0\u201cLocal computer\u201d\u00a0and click\u00a0\u201cFinish\u201d<\/p>\n

\"00.6\"<\/p>\n

6.\u00a0<\/strong>Expand\u00a0\u201cCertificates\u201d \u2013 \u201cPersonal\u201d\u00a0\u00a0Right click and select\u00a0\u201cAll Tasks\u201d\u00a0\u2013\u00a0\u201cRequest New Certificate\u201d<\/p>\n

<\/p>\n

7.\u00a0<\/strong>Click\u00a0\u201cNext\u201d<\/p>\n

\"00.9\"<\/p>\n

8.\u00a0<\/strong>Click\u00a0\u201cNext\u201d<\/p>\n

\"00.10\"<\/p>\n

9.\u00a0<\/strong>Select\u00a0\u201cComputer\u201d\u00a0and click\u00a0\u201cEnroll\u201d<\/p>\n

<\/p>\n

10.\u00a0<\/strong>Once the certificate has enrolled and installed click\u00a0\u201cFinish\u201d<\/p>\n

<\/p>\n

The new generated certificate for the server signed by the CA will now be visible\u00a0<\/strong>in the certificates MMC<\/p>\n

<\/p>\n

 <\/p>\n

Configure Auto\u00a0Enrollment to issue\u00a0User\u00a0Certificates<\/strong><\/p>\n

We need to create a template for our requirements of the certificates that we want to issue our users, then we can use this template and configure auto enrollment for\u00a0our domain users. This way the deployment of certificates is automated and users do not have to manually request one. We can then push out the policy using GPO.<\/p>\n

1.<\/strong>\u00a0Login to the\u00a0CA Server, click\u00a0\u201cStart\u201d\u00a0type\u00a0\u201cCertification\u00a0Authority\u201d<\/p>\n

\"1\"<\/p>\n

2.<\/strong>\u00a0Expand\u00a0\u201cServer Name\u201d right click\u00a0Certificate Templates\u201d\u00a0and select\u00a0\u201cManage\u201d<\/p>\n

\"2\"<\/p>\n

3.<\/strong>\u00a0From the \u201cCertificates Templates console\u201d scroll down,\u00a0right click\u00a0\u201cUser\u201d\u00a0and select\u00a0\u201cDuplicate Template\u201d<\/p>\n

\"3\"<\/p>\n

4.<\/strong>\u00a0From the\u00a0\u201cCompatibility Settings\u201d\u00a0select \u201cWindows Server 2012 R2\u2033\u00a0as the Certification Authority<\/p>\n

\"3.2\"<\/p>\n

5.<\/strong>\u00a0At the pop-up prompt click\u00a0\u201cOK\u201d<\/p>\n

\"3.3\"<\/p>\n

6.<\/strong>\u00a0Select \u201cWindows 7\/Server 2008 R2\u2033\u00a0as the Certificate recipient<\/p>\n

\"3.4\"<\/p>\n

7.<\/strong>\u00a0At the popup prompt click\u00a0\u201cOK\u201d<\/p>\n

\"3.5\"<\/p>\n

8.<\/strong>\u00a0Click the\u00a0\u201cGeneral\u201d\u00a0tab, give the template a name and tick\u00a0\u201cPublish certificate in Active Directory\u201d<\/p>\n

\"3.6\"<\/p>\n

9.\u00a0<\/strong>Click the\u00a0\u201cSecurity\u201d\u00a0tab, select\u00a0\u201cDomain Users\u201d\u00a0tick the\u201cAutoenroll\u201d\u00a0check box under\u00a0\u201cAllow\u201d\u00a0and click\u00a0\u201cOK\u201d<\/p>\n

<\/p>\n

10.<\/strong>\u00a0Click the\u00a0\u201cSubject Name\u201d\u00a0tab and\u00a0de-select<\/strong>\u00a0\u201cInclude email name in subject name\u201d\u00a0and\u00a0\u201cEmail Name\u201d,\u00a0If these boxes are ticked and the users in AD have no email address specified, the certificates will not enroll and continue to fail, this can be left ticked if you have an on premise exchange server.<\/p>\n

\"3.08\"<\/p>\n

The template will appear in the list<\/p>\n

\"3.8\"<\/p>\n

11.<\/strong>\u00a0Close the\u00a0\u201cCertificates Templates Console\u201d\u00a0back on the\u00a0\u201cCertification Authority\u201d\u00a0console right click\u00a0\u201cCertificate Templates\u201d\u00a0folder,\u00a0select\u00a0\u201cNew \u201cand click\u00a0\u201cCertificate Template to Issue\u201d<\/p>\n

<\/p>\n

12.<\/strong>\u00a0Select the template created earlier and click\u00a0\u201cOK\u201d<\/p>\n

\"3.10\"<\/p>\n

The template will now appear as a valid template that can be issued out.<\/p>\n

\"3.11\"<\/p>\n

13.\u00a0<\/strong>Still on the\u00a0CA\/DC\u00a0click\u00a0\u201cStart\u201d\u00a0type\u00a0\u201cGroup Policy Management\u201d<\/p>\n

\"3.12\"<\/p>\n

14.<\/strong>\u00a0Expand\u00a0\u201cForest\u201d\u00a0\u2013\u00a0\u201cDomain\u201d\u00a0\u2013 right click\u00a0\u201cDefault Domain Policy\u201d\u00a0and select\u00a0\u201cEdit\u201d. Any group policy can be used to push out the enrollment settings, you can also create a dedicated GPO linked back to an OU.<\/p>\n

 <\/p>\n

\"3.13\"<\/p>\n

15.<\/strong>\u00a0Expand\u00a0\u201cUser Configuration\u201d\u00a0\u2013\u00a0Windows Settings\u201d\u00a0\u2013 \u201cSecurity Settings\u201d Select\u00a0\u201cPublic Key Policies\u201d\u00a0click and open\u00a0\u201cCertificate Services Client \u2013 Auto Enrollment\u201d<\/p>\n

<\/p>\n

16.<\/strong>\u00a0Select\u00a0\u201cEnabled\u201d\u00a0tick\u00a0\u201cRenew expired certificates, update pending certificates, and remove revoked certificates\u201d, and\u00a0\u201cUpdate certificates that use certificate templates\u201d.\u00a0Click\u00a0\u201cOK\u201d<\/p>\n

\"3.15\"<\/p>\n

 <\/p>\n

Create AD Security Groups and assign users<\/strong><\/p>\n

In this step we will create a new security group that will be used to control access for our users, for the purpose of this lab we will create a single user and make them a member of that security group so that we can use this user later for validating our deployment.<\/p>\n

1.<\/strong>\u00a0On the\u00a0DC\u00a0click\u00a0\u201cStart\u201d\u00a0and type\u00a0\u201cActive Directory Users and Computers\u201d<\/p>\n

\"0.1\"<\/p>\n

2.\u00a0<\/strong>From the\u00a0\u201cAction\u201d\u00a0Menu select\u00a0\u201cNew\u201d \u2013 \u201cGroup\u201d<\/p>\n

\"0.2\"<\/p>\n

3.<\/strong>\u00a0 Give the group a meaningful name, in this case we have used\u00a0\u201cWireless Users\u201d. Make sure\u00a0\u201cGlobal\u201d\u00a0and\u00a0\u201cSecurity\u201d\u00a0is selected. Click\u00a0\u201cOK\u201d<\/p>\n

\"0.3\"<\/p>\n

4.\u00a0<\/strong>From the\u00a0\u201cAction\u201d\u00a0Menu select\u00a0\u201cNew\u201d \u2013 \u201cUser\u201d<\/p>\n

\"0.4\"<\/p>\n

5.\u00a0<\/strong>Give the user a name, in this case we have used\u00a0\u201cWLANUser\u201d\u00a0Click\u00a0\u201cNext\u201d<\/p>\n

\"0.5\"<\/p>\n

6.\u00a0<\/strong>Create a password for the user and for this lab environment we can safely select\u00a0\u201cPassword never expires\u201d<\/p>\n

\"0.6\"<\/p>\n

7.\u00a0<\/strong>Click\u00a0\u201cFinish\u201d<\/p>\n

\"0.7\"<\/p>\n

8.\u00a0<\/strong>Right click the security group\u00a0\u201cWireless Users\u201d\u00a0created earlier select\u00a0\u201cProperties\u201d, and click the\u00a0\u201cMembers\u201d\u00a0tab. Click\u00a0\u201cAdd\u201d\u00a0and add the newly created user\u00a0\u201cWLANUser\u201d\u00a0into the security group. Click\u00a0\u201cOK\u201d<\/p>\n

\"0.8\"<\/p>\n

\u00a0<\/strong><\/p>\n

\"0.9\"<\/p>\n

 <\/p>\n

Configure RADIUS and Create the Network Access Policies\u00a0<\/strong><\/p>\n

In this step we will configure our RADIUS client which will be the WLC, the WLC will be forwarding all the authentication requests to this NPS server. We will create our network connection and network access policies to define the parameters which we want our users to meet in order to successfully authenticate. We will also define within our access policy the method of authentication we want to use, which will be EAP-TLS certificate based. And finally we will specify which certificate the NPS server will use to identify itself.<\/p>\n

1. \u00a0<\/strong>On the\u00a0NPS sevrer\u00a0<\/strong>Click\u00a0\u201cStart\u201d\u00a0and type\u00a0\u201cNPS\u201d\u00a0if you haven\u2019t installed the role yet refer to\u00a0\u201cInstall Network Policy Server (NPS) on Server 2012 R2\u201d<\/a><\/p>\n

\"1\"<\/p>\n

2.\u00a0<\/strong>Expand \u201cRADIUS Clients and Server\u201d\u00a0right click\u00a0\u201cRADIUS Clients\u201d and select\u00a0\u201cNew\u201d<\/p>\n

\"2\"<\/p>\n

3.\u00a0<\/strong>Make sure\u00a0\u201cEnable this RADIUS client\u201d\u00a0is ticked, give the client a name and input the\u00a0\u201cIP Address\u201d\u00a0of the Wireless LAN Controller. Select an existing\u00a0\u201cShared Secret Template\u201d\u00a0or type one in manually at the bottom. Click\u00a0\u201cOK\u201d<\/p>\n

\"3\"<\/p>\n

4.<\/strong>\u00a0Click\u00a0\u201cAdvanced\u201d\u00a0and select\u00a0\u201cCisco\u201d\u00a0from the\u00a0\u201cVendor Name\u201d\u00a0drop down box<\/p>\n

\"4\"<\/p>\n

The added client will now be displayed in the client list<\/p>\n

\"5\"<\/p>\n

5.\u00a0<\/strong>Expand\u00a0\u201cPolices\u201d\u00a0right click\u00a0\u201cConnection Request Policies\u201d\u00a0and select\u00a0\u201cNew\u201d<\/p>\n

\"6\"<\/p>\n

6.\u00a0<\/strong>Give the policy a name, in this case we used\u00a0\u201cEAP-TLS\u201d\u00a0click\u00a0\u201cNext\u201d<\/p>\n

\"7\"<\/p>\n

7.\u00a0<\/strong>Click\u00a0\u201cAdd\u201d<\/p>\n

\"8\"<\/p>\n

8.\u00a0<\/strong>Select\u00a0\u201cNAS Port Type\u201d, click\u00a0\u201cAdd\u201d<\/p>\n

\"9\"<\/p>\n

9.\u00a0<\/strong>Select\u00a0\u201cWireless \u2013 IEEE 802.11\u201d\u00a0and\u00a0Wireless \u2013 Other\u201d.\u00a0Click\u00a0\u201cOK\u201d<\/p>\n

\"10\"<\/p>\n

10.\u00a0<\/strong>Click\u00a0\u201cNext\u201d<\/p>\n

\"11\"<\/p>\n

11.\u00a0<\/strong>Click\u00a0\u201cNext\u201d<\/p>\n

\"12\"<\/p>\n

12.\u00a0<\/strong>\u00a0Click\u00a0\u201cNext\u201d<\/p>\n

\"13\"<\/p>\n

13.\u00a0\u00a0<\/strong>Click\u00a0\u201cNext\u201d<\/p>\n

\"14\"<\/p>\n

14.\u00a0\u00a0<\/strong>Click\u00a0\u201cFinish\u201d<\/p>\n

\"15\"<\/p>\n

15.<\/strong>\u00a0The policy will now be visible under the\u00a0\u201cConnection Request Policies\u201d<\/p>\n

\"16\"<\/p>\n

16.\u00a0<\/strong>Expand\u00a0\u201cPolicies\u201d\u00a0right click\u00a0\u201cNetwork Policies\u201d\u00a0and select\u00a0\u201cNew\u201d<\/p>\n

\"17\"<\/p>\n

17.\u00a0<\/strong>Give the network policy a name and click\u00a0\u201cNext\u201d, in this example the same name as the connection policy is used, so that we can clearly identify what this policy is used for. The names do not have to correspond.<\/p>\n

\"18\"<\/p>\n

18.\u00a0<\/strong>Click\u00a0\u201cAdd\u201d<\/p>\n

\"19\"<\/p>\n

19.\u00a0<\/strong>Click\u00a0\u201cAdd\u201d\u00a0select\u00a0\u201cUser Groups\u201d\u00a0click\u00a0\u201cAdd Groups\u201d\u00a0and add the AD security group created earlier, in this case its the\u00a0\u201cWireless Users\u201d\u00a0group. Click\u00a0\u201cOK\u201d<\/p>\n

\"20\"<\/p>\n

20.\u00a0<\/strong>Click\u00a0\u201cAdd\u201d
\n<\/strong><\/p>\n

\"21\"<\/p>\n

21.\u00a0<\/strong>Click\u00a0\u201cAdd\u201d\u00a0select\u00a0\u201cNAS Port Type\u201d\u00a0click\u00a0\u201cAdd\u201d\u00a0select\u00a0\u201cWireless \u2013 IEEE 802.11\u201d\u00a0and\u00a0\u201cWireless \u2013 Other\u201d. Click\u00a0\u201cOK\u201d<\/p>\n

\"22\"<\/p>\n

22.\u00a0<\/strong>Click\u00a0\u201cAdd\u201d\u00a0select\u00a0\u201cAuthentication Type\u201d\u00a0click\u00a0\u201cAdd\u201d\u00a0select\u00a0\u201cEAP\u201d\u00a0OK<\/p>\n

\"23\"<\/p>\n

23.\u00a0<\/strong>Once all three conditions have been specified, click\u00a0\u201cNext\u201d
\n<\/strong><\/p>\n

\"24\"<\/p>\n

24.\u00a0<\/strong>Select\u00a0\u201cAccess Granted\u201d\u00a0click\u00a0\u201cNext\u201d
\n<\/strong><\/p>\n

\"25\"<\/p>\n

25.\u00a0<\/strong>Deselect all the\u00a0\u201cLess secure authentication methods\u201d\u00a0and click\u00a0\u201cAdd\u201d\u00a0select\u00a0\u201cMicrosoft: Smart Card or other certificate\u201d\u00a0click\u00a0\u201cOK\u201d
\n<\/strong><\/p>\n

\"26\"<\/p>\n

26.\u00a0<\/strong>Select\u00a0\u201cMicrosoft: Smart Card or other certificate\u201d\u00a0click\u00a0\u201cEdit\u201d\u00a0from the dropdown list select the correct server certficate, in this case its the computer\u00a0certificate generated earlier \u2013\u00a0\u201cLNS-NPS-01.LNS.internal\u201d.\u00a0Click\u00a0\u201cOK\u201d<\/p>\n

<\/p>\n

27.\u00a0<\/strong>Click\u00a0\u201cNext\u201d<\/p>\n

\"27\"<\/p>\n

28.<\/strong>\u00a0Click\u00a0\u201cNext\u201d<\/p>\n

\"28\"<\/p>\n

29.\u00a0<\/strong>Click\u00a0\u201cNext\u201d<\/p>\n

\"29\"<\/p>\n

30.<\/strong>\u00a0Click\u00a0\u201cFinish\u201d<\/p>\n

\"30\"<\/p>\n

The Network Policy will now be visible in the\u00a0\u201cNetwork Polices\u201d\u00a0list<\/p>\n

\"31\"<\/p>\n

 <\/p>\n

Configure the WLC for RADIUS and setup the WLAN<\/strong><\/p>\n

In this step we will configure the Wireless LAN Controller with a RADIUS Server, then we will create a new WLAN and define the network parameters\u00a0and finally point the WLC to send all authentication requests to the NPS server.<\/p>\n

1.\u00a0<\/strong>Login to the\u00a0WLC\u00a0and navigate to\u00a0\u201cSecurity\u201d\u00a0\u2013\u00a0\u201cAAA\u201d\u00a0\u2013\u00a0\u201cRADIUS\u201d\u00a0\u2013\u00a0\u201cAuthentication\u201d\u00a0Click\u00a0\u201cNew\u201d<\/p>\n

<\/p>\n

2.<\/strong>\u00a0Insert the information of the RADIUS server configured earlier, Specify the\u00a0\u201cServer IP Address\u201d\u00a0the\u00a0\u201cShared Secret\u201d\u00a0leave the rest as default.<\/p>\n

\"2\"<\/p>\n

The added RADIUS Server should now appear in the list<\/p>\n

\"3\"<\/p>\n

4.\u00a0<\/strong>Click\u00a0\u201cWLANs\u201d\u00a0select\u00a0\u201cCreate New\u201d\u00a0and click\u00a0\u201cGo\u201d
\n<\/strong><\/p>\n

\"4\"<\/p>\n

 <\/p>\n

5.\u00a0<\/strong>Give the Profile and SSID a name, click\u00a0\u201cApply\u201d<\/p>\n

\"5\"<\/p>\n

6.\u00a0<\/strong>From the\u00a0\u201cGeneral\u201d\u00a0tab select the\u00a0\u201cEnabled\u201d\u00a0tick box and select the\u00a0\u201cRadio Policy\u201d\u00a0to use with the profile. From the\u00a0\u201cInterface Group\u201d\u00a0drop down list, select the\u00a0 appropriate interface In this example we have used\u00a0\u201cVlan10\u201d\u00a0for more information on how to set-up interface groups for different VLANs\u00a0and enable switching \u2013\u00a0check out\u00a0\u201cCisco Wireless \u2013 Setting up FlexConnect aka \u201cH-REAP\u201d with Local Switching of Multiple VLANs\u201d<\/a><\/p>\n

\"6\"<\/p>\n

7.\u00a0<\/strong>Select the\u00a0\u201cSecurity\u201d\u00a0tab click\u00a0\u201cLayer 2\u201d\u00a0and select\u00a0\u201c802.1X\u201d from the drop down list<\/p>\n

\"7\"<\/p>\n

8.<\/strong>\u00a0Click\u00a0\u201cAAA Servers\u201d\u00a0tab and check the\u00a0\u201cEnabled\u201d\u00a0tickbox under\u00a0\u201cAuthentication Servers\u201d.\u00a0In the\u00a0\u201cServer 1\u201d\u00a0field select the IP address of the added RADIUS server from step 2. Tick the\u00a0\u201cEnable\u201d\u00a0check box under\u00a0\u201cEAP Parameters\u201d\u00a0Hit\u00a0\u201cApply\u201d<\/p>\n

\"8\"<\/p>\n

 <\/p>\n

Configure the Client Network settings via GPO<\/strong><\/p>\n

The client can be configured\u00a0locally or\u00a0via group policy to push out the wireless connection settings, we will\u00a0use the GPO option as this will be the most effective in the domain environment.<\/p>\n

1.<\/strong>\u00a0Logon to the\u00a0DC, Click\u00a0\u201cStart\u201d\u00a0type\u00a0\u201cGroup Policy Management\u201d<\/p>\n

\"4.1\"<\/p>\n

2.<\/strong>\u00a0Expand\u00a0\u201cForest\u201d\u00a0\u2013\u00a0\u201cDomain\u201d\u00a0\u2013 right click\u00a0\u201cDefault Domain Policy\u201d\u00a0and select\u00a0\u201cEdit\u201d. Any group policy can be used to push out the client wirless network\u00a0settings, you can also create a dedicated GPO linked back to an OU<\/p>\n

\"4.2\"<\/p>\n

3.\u00a0<\/strong>Expand\u00a0\u201cComputer\u00a0Configuration\u201d\u00a0\u2013\u00a0Windows Settings\u201d\u00a0\u2013 \u201cSecurity Settings\u201d Select\u00a0\u201cWireless Network (IEEE 802.11) Policies\u201d\u00a0right click and select\u00a0\u201cCreate A New Wireless Network Policy for Windows Vista and Later Releases\u201d<\/p>\n

\"4.3\"<\/p>\n

4.<\/strong>\u00a0Give the policy a name, make sure\u00a0\u201cUse Windows WLAN AutoConfig service for clients\u201d is ticked. Click\u00a0\u201cAdd\u201d\u00a0select\u00a0\u201cInfrastructure\u201d<\/p>\n

\"4.4\"<\/p>\n

5.<\/strong>\u00a0Give the profile a name, input the\u00a0SSID name under\u00a0\u201cNetwork Name(s) (SSID)\u201d\u00a0this is the name of the WLAN that was created on the vWLC earlier. you can use the available tick boxes to tweak some of the options available to suit your environment.<\/p>\n

\"4.5\"<\/p>\n

6.<\/strong>\u00a0Click the\u00a0\u201cSecurity\u201d\u00a0tab, select\u00a0\u201cOpen with 802.1X\u201d\u00a0as the authentication, select\u00a0\u201cUser Authentication\u201d\u00a0as the authentication mode\u00a0and\u00a0select\u00a0\u201cMicrosoft: Smart Card or other certificate\u201d\u00a0as the network authentication method, click\u00a0\u201cProperties\u201d<\/p>\n

\"4.6\"<\/p>\n

7.<\/strong>\u00a0Under \u201cWhen connecting\u201d select\u00a0\u201cUse a certificate on this computer\u201d\u00a0tick\u00a0\u201cUse a simple certificate selection (Recommended)\u201d\u00a0and tick \u201cVerify the servers identity by validating the certificate\u201d<\/p>\n

From the \u201cTrusted Root Certification Authorities\u201d select the root certificate of your root CA, this is the certificate that is issued to the CA server by the CA.<\/p>\n

Finally tick\u00a0\u201cuse a different username for the connection\u201d\u00a0and click\u00a0\u201cOK\u201d<\/p>\n

\"4.7\"<\/p>\n

8.<\/strong>\u00a0Click\u00a0\u201cOK\u201d<\/p>\n

\"4.8\"<\/p>\n

\"4.9\"<\/p>\n

 <\/p>\n

Validating the Deployment & Testing<\/strong><\/p>\n

Now that all the configurations are complete, we need to validate our wireless network\u00a0is working correctly, using the domain bound client we will login and make the necessary checks.<\/p>\n

1.\u00a0<\/strong>On the client machine login using the domain user credentials, in this case its the\u00a0\u201cWLANUser\u201d\u00a0created earlier, as the client will not have a valid wireless connection to the domain we will need to plug directly on to the network so that: \u00a01. we can login and 2. the group policies can be applied along with the user certificate auto enrolment.<\/p>\n

\"1\"<\/p>\n

2.<\/strong>\u00a0Launch\u00a0\u201cMMC\u201d, add the\u00a0\u201cCertificates\u201d\u00a0snap in, expand\u00a0\u201cCertificates\u201d\u00a0\u2013\u00a0\u201cPersonal\u201d\u00a0\u2013\u00a0\u201cCertificates\u201d\u00a0and verify the user certificate has been issued. \u00a0If the\u00a0user\u00a0certificate\u00a0is not\u00a0present, try to do a \u201cgpupdate \/force\u201d or go\u00a0back and look for misconfiguration during the templates set-up or group policy steps earlier.<\/p>\n

\"2\"<\/p>\n

3.<\/strong>\u00a0Click and open the certificate, make sure all the information is valid and that the right certificate has been issued.<\/p>\n

\"3\"<\/p>\n

4.<\/strong>\u00a0Click the\u00a0\u201cDetails\u201d tab and click\u00a0\u201cCertificate Template Information\u201d.\u00a0Verify the template used is the template created earlier, this will give us a clear indication that our CA is working correctly and is able to auto enroll and issue our domain users with a valid certificate.<\/p>\n

\"4\"<\/p>\n

5.<\/strong>\u00a0Navigate to\u00a0\u201cControl Panel\u00a0\u2013\u00a0\u201cNetwork and Internet\u201d\u00a0\u2013\u00a0\u201cManage Wireless Networks\u201d\u00a0verify the network profile created via group policy is available, this network will not be editable by the user as the settings are centrally managed via GPO. if the network is not visible issue a \u201cgpupdate \/force\u201d or troubleshoot the GPO settings.<\/p>\n

\"5\"<\/p>\n

6.<\/strong>\u00a0Click the wireless icon and verify the SSID is being broadcast<\/p>\n

\"6\"<\/p>\n

Click\u00a0\u201cConnect\u201d<\/p>\n

\"7\"<\/p>\n

7.<\/strong>\u00a0The user will be prompted with a window displaying the username which is on the user certificate, the connection username will also include the same username. This prompt is asking the user to select the certificate in which they would like to use to connect. In a domain environment the logged on user will only be able to see their own certificate. Click\u00a0\u201cView Certificate\u201d\u00a0to see the details of the cert, then\u00a0click\u00a0\u201cOK\u201d\u00a0to connect. \u00a0The prompt only appears the first time the user connects, subsequent connections take place automatically in the background.<\/p>\n

\"8\"<\/p>\n

\"9\"<\/p>\n

\"10\"<\/p>\n

8.<\/strong>\u00a0Launch CMD type\u00a0\u201cIPconfig\u201dand verify DHCP has issued a correct IP address within the VLAN specified in the WLC. In this case we have an IP from VLAN10 which is on the 192.168.10.0 network.<\/p>\n

\"11\"<\/p>\n

9.<\/strong>\u00a0Ping the default gateway and verify connectivity<\/p>\n

\"12\"<\/p>\n

10.<\/strong>\u00a0On the WLC click\u00a0\u201cMonitor\u201d\u00a0\u2013\u00a0\u201cClients\u201d\u00a0Verify the client is visible on the list as a connected client. Click the MAC address of the client for more detail.\u00a0 <\/p>\n

11.<\/strong>\u00a0From the client properties we can see that the WLAN profile and SSID the client is using is\u00a0\u201cRADIUS-EAP-TLS\u201d\u00a0the authentication is\u00a0\u201cCentral\u201d\u00a0which is our Microsoft RADIUS server. the username is\u00a0\u201cwlanuser@LNS.Internal\u201d\u00a0and the VLAN id is\u00a0\u201c10\u201d.<\/p>\n

\"14\"<\/p>\n

12.<\/strong>\u00a0if we scroll down to the\u00a0\u201cSecurity Information\u201d\u00a0We can verify that we are using\u00a0\u201c802.1X\u201d\u00a0and the EAP Type is\u00a0\u201cEAP-TLS\u201d<\/p>\n

\"15\"<\/p>\n

13.<\/strong>\u00a0Finally if we hop onto the\u00a0NPS Server, launch\u00a0\u201cEvent Viewer\u201d, expand\u00a0\u201cCustom View\u201d\u00a0\u2013\u00a0\u201cServer Roles\u201d\u00a0\u2013\u00a0\u201cNetwork Policy and Access Server\u201d\u00a0we can see the log of the client attempting to authenticate to the RADIUS server and the server allowing the access based on its network access policies.<\/p>\n

The user attempting to authenticate is \u201cWLANUser\u201d, the RADIUS Cleint forwarding the request is the \u201cCisco vWLC\u201d the authentication policies defined within NPS are checked against the user for a match. The result shows the user is allowed \u201cFull Access\u201d based on the policy.<\/p>\n

\"16\"<\/p>\n

 <\/p>\n","protected":false},"excerpt":{"rendered":"

EAP TLS is one of the most secure methods of deploying wireless solutions in an organisation. It uses certificate based authentication both on the server<\/p>\n","protected":false},"author":1,"featured_media":1137,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5,6,17],"tags":[104,29,109,114,111,110,112,113],"class_list":["post-1113","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-network","category-security","category-wireless","tag-authentication","tag-ca","tag-certificates","tag-eap-tls","tag-group-policy","tag-network-access-policy","tag-nps","tag-radius"],"_links":{"self":[{"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/posts\/1113","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/comments?post=1113"}],"version-history":[{"count":2,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/posts\/1113\/revisions"}],"predecessor-version":[{"id":1221,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/posts\/1113\/revisions\/1221"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/media\/1137"}],"wp:attachment":[{"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/media?parent=1113"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/categories?post=1113"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/tags?post=1113"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}