Use the 802.1X Wizard to Configure NPS Network Policies
Applies To: Windows Server 2008, Windows Vista
Follow these steps to create the connection request policies and network policies required to deploy either 802.1X-capable wireless access points (APs) as Remote Authentication Dial-In User Service (RADIUS) clients to the RADIUS server running Network Policy Server (NPS).
Client computers, such as wireless portable computers and other computers running client operating systems, are not RADIUS clients. RADIUS clients are network access servers—such as wireless access points, 802.1X-capable switches, virtual private network (VPN) servers, and dial-up servers—because they use the RADIUS protocol to communicate with RADIUS servers such as Network Policy Server (NPS) servers.
After you run the Configure 802.1X wizard, the following policies are created:
One connection request policy
One network policy
You can run the Configure 802.1X wizard every time that you have to create new policies for 802.1X authenticated access.
Membership in Domain Admins, or equivalent, is the minimum requirement to complete this procedure.
Create policies for 802.1X authenticated wireless by using the Configure 802.1X wizard
Open the NPS Microsoft Management Console (MMC) snap-in. If it is not already selected, click NPS (Local). If you are running the NPS snap-in and want to create policies on a remote NPS, select the server.
In Getting Started and Standard Configuration, select RADIUS server for 802.1X Wireless or Wired Connections. The text and the links below the text change to reflect your selection.
Click Configure 802.1X. The Configure 802.1X wizard opens.
On the Select 802.1X Connections Type wizard page, in Type of 802.1X connections, select Secure Wireless Connections, and in Name, type a name for your policy, or leave the default name. Click Next.
On the Specify 802.1X Switches wizard page, in RADIUS clients, all 802.1X switches and wireless APs that you have added as RADIUS clients in the NPS snap-in are shown. Do any of the following:
To add network access servers (NASs), such as 802.1X-capable wireless APs, in RADIUS clients, click Add, and then, in New RADIUS client, enter the information for: Friendly name, Address (IP or DNS), and Shared Secret.
To modify the settings for any NAS, in RADIUS clients, select the AP or switch for which you want to modify the settings, and then click Edit. Modify the settings as required.
To remove a NAS from the list, in RADIUS clients, select the NAS, and then click Remove.
Removing a RADIUS client from the Configure 802.1X wizard deletes the client from the NPS server configuration. All additions, modifications, and deletions that you make in the Configure 802.1X wizard to RADIUS clients are reflected in the NPS snap-in, in the RADIUS Clients node, under NPS / RADIUS Clients and Servers. For example, if you use the wizard to remove an 802.1X switch, the switch is also removed from the NPS snap-in.
Click Next. On the Configure an Authentication Method wizard page, in Type (based on method of access and network configuration), do one of the following:
For authentication using Extensible Authentication Protocol – Transport Layer Security (EAP-TLS), select Microsoft: Smart Card or other certificate, click Configure, click OK, and then click Next.
For authentication using Protected Extensible Authentication Protocol – Transport Layer Security (PEAP-TLS), select Microsoft: Protected EAP (PEAP). In Eap Types, click Add, click Smart Card or other certificate, click the Move Up button to position a smart card or other certificate at the top of the list, click OK, and then click Next.
For secure password authentication using Protected Extensible Authentication Protocol – Microsoft Challenge Handshake Authentication Protocol version 2 (PEAP-MS-CHAP v2), select Microsoft: Protected EAP (PEAP). In Eap Types, click Add, click Secured password (EPA-MSCHAP v2), click the Move Up button to position the secured password authentication type at the top of the list, click OK, and then click Next.
If you receive an error message that states that a certificate cannot be found for use with the authentication method, and you have configured Active Directory Certificate Services (AD CS) to automatically issue certificates to Routing and Remote Access service (RRAS) and Internet Authentication Service (IAS) servers on your network, first make sure that you have followed the steps to Register NPS in Active Directory Domain Services, then follow these steps to update Group Policy: Click Start, click Run, and in Open, type gpupdate, and then press ENTER. When the command returns results that indicate both user and computer Group Policy have been updated successfully, select Microsoft: Protected EAP (PEAP) again, and then click Configure.
If after refreshing Group Policy you continue to receive the error message stating that a certificate cannot be found for use with the authentication method, the certificate is not displayed because it does not meet the minimum server certificate requirements as documented in Foundation Network Companion Guide: Deploying Server Certificates. If this happens, you must stop NPS configuration, revoke the certificate issued to your NPS, and then follow the instructions in Foundation Network Companion Guide: Deploying Server Certificates to configure a new certificate.
In Specify User Groups, click Add, and then type the name of the security group that you configured for your wireless clients in the Active Directory Users and Computers snap-in. For example, if you named your wireless security group Wireless Group, type Wireless Group. Click Next.
Click Configure to configure RADIUS standard attributes and vendor-specific attributes for virtual LAN (VLAN) as needed, and as specified by the documentation that was provided by your wireless AP hardware vendor. Click Next.
Review the configuration summary details, and then click Finish.